Posts

Background CSAW is an annual cybersecurity event started in 2003 at New York University. Each year, it’s organized thanks to the efforts of students from around the globe. In Europe, the hosting institution is “INP - Esisar” in Valence, France. This year, alongside various conferences and competitions, the Cybersecurity Awareness Communication Challenge (CAC²) made its debut—a competition aimed at creating a communication strategy to raise cybersecurity awareness among a non-technical audience. ...

Perfect Shop March 2024 - filtered and size-limited reflected XSS “Do you like perfect things? Check out my new online shop!” Prior knowledge: HTML, JavaScript Context The link to the challenge website and its corresponding source code are provided. At first glance, the website may seem a bit overwhelming: there are various functionalities, which means several endpoints and mechanisms to study in search of vulnerabilities. However, fortunately, the code is relatively short and not very verbose, and all files except for server.js do not contain interesting elements: products.js gathers information about the products, while the various templates seem to only display elements passed by the server. Their presence can be kept in mind, but the existence of a Server Side Template Injection is temporarily ruled out. ...

penguin-login February 2024 - Blind SQL injection “I got tired of people leaking my password from the db so I moved it out of the db.” Prior knowledge: basic web-related knowledge, SQL Context We are provided with the link to the challenge website and the corresponding source code. The website is quite simple, and the usage of its features is straightforward: All the code is in app.py: ... allowed_chars = set(string.ascii_letters + string.digits + " 'flag{a_word}'") forbidden_strs = ["like"] @cache def get_database_connection(): # Get database credentials from environment variables db_user = os.environ.get("POSTGRES_USER") db_password = os.environ.get("POSTGRES_PASSWORD") db_host = "db" # Establish a connection to the PostgreSQL database connection = psycopg2.connect(user=db_user, password=db_password, host=db_host) return connection with app.app_context(): conn = get_database_connection() create_sql = """ DROP TABLE IF EXISTS penguins; CREATE TABLE IF NOT EXISTS penguins ( name TEXT ) """ with conn.cursor() as curr: curr.execute(create_sql) curr.execute("SELECT COUNT(*) FROM penguins") if curr.fetchall()[0][0] == 0: curr.execute("INSERT INTO penguins (name) VALUES ('peng')") curr.execute("INSERT INTO penguins (name) VALUES ('emperor')") curr.execute("INSERT INTO penguins (name) VALUES ('%s')" % (flag)) conn.commit() @app.post("/submit") def submit_form(): try: username = request.form["username"] conn = get_database_connection() assert all(c in allowed_chars for c in username), "no character for u uwu" assert all( forbidden not in username.lower() for forbidden in forbidden_strs ), "no word for u uwu" with conn.cursor() as curr: curr.execute("SELECT * FROM penguins WHERE name = '%s'" % username) result = curr.fetchall() if len(result): return "We found a penguin!!!!!", 200 return "No penguins sadg", 201 except Exception as e: return f"Error: {str(e)}", 400 # need to commit to avoid connection going bad in case of error finally: conn.commit() ... We know that the website uses Postgres as the RDBMS/SQL database, and that the flag is contained in the penguins table along with the penguins. ...

June 2023 - Blind NoSQL injection “hsctf pay to win confirmed?” Prior knowledge: basic web-related knowledge, Burpsuite Context We are provided with the link to the website and its corresponding source code. The website appears to be very simple, and the source code is quite short: Content of app.py: import os import traceback import pymongo.errors from flask import Flask, jsonify, render_template, request from pymongo import MongoClient app = Flask(__name__) FLAG = os.getenv("FLAG") app.config["SECRET_KEY"] = os.getenv("FLASK_SECRET") mongo_client = MongoClient(connect=False) db = mongo_client.database @app.route("/") def main(): return render_template("index.html") @app.route("/api/search", methods=["POST"]) def search(): if request.json is None or "search" not in request.json: return jsonify({"error": "No search provided", "results": []}), 400 try: results = db.flags.find( { "$where": f"this.challenge.includes('{request.json['search']}')" }, { "_id": False, "flag": False } ).sort("challenge") except pymongo.errors.PyMongoError: traceback.print_exc() return jsonify({"error": "Database error", "results": []}), 500 return jsonify({"error": "", "results": list(results)}), 200 if __name__ == "__main__": app.run() So we know that the website uses MongoDB as its (NoSQL) database. ...