Hello, I'm currently participating in a CTF but I'm stuck and I don't know how to go further.
So the CTF is setup like this:
The CTF is hosted on a website that has some notes.
Cookie SameSite policy is set to "None"
Access-Control-Allow-Origin is not set, so it defaults to "same-origin"
You can submit an URL, after submission a bot that uses "HeadlessChrome/130.0.6723.31" and has a special cookie that allows to view the flag notes instantly visits it and runs whatever is on that page.
Here's the tips I got:
- Use chrome
- Find a vulnerability (in chrome?)
- Use the search endpoint (GET) and try sending a request, you should find a way to bypass CORS by using the http response status code, if it's 200 you found a valid value in the search, if it's 404 (or error) you didn't find anything
So the strategy is to send a request to https://ctf/search?s= and make a dictionary attack to find the flag.
For example
https://ctf/search?s=a => 404
https://ctf/search?s=b => 404
https://ctf/search?s=c => 200
https://ctf/search?s=ca => 404
https://ctf/search?s=cb => 200
and so on
But I can't find a way to make the bot send a request that includes credentials (the cookie) and get the response.
If you have any ideas or if you need more details please let me know!
[link] [comments]
from hacking: security in practice https://ift.tt/C6xLgBm
Comments
Post a Comment