The JSAPI challenges are a series of challenges related to web security that I write for niteCTF (hosted by Cryptonite, my (now former) college's CTF team).
I intend to write one more challenges for niteCTF 2023 centered around cross-site leaks.
This was my first time writing cross-site leak challenges and I underestimated how hard it would be to test for it :( This did cause quite a few issues, including the fact that for a large portion of the CTF, the pupeteer bot was configured in a manner in which it was not even setting the flag in the cookie properly for undocumented-js-api.
That being said, I did have a lot of fun writing these challenges drawing from experiences I had as a Google Summer of Code intern for Chrome. I want to keep these challenges documented (well as far as my forgetful brain lets me) specially since a lot of web security, especially since I always seem to struggle to find a cross-site leaks war game to recommend to other students.
While the original site URL is down, I do intend to host the original challenges as well as the TBD 2023 challenges on a (hopefully static) domain once niteCTF 2023 has concluded so that provided you are able to run the bot script, you should be able to play these challenges as intended.
- https://ctf.zeyu2001.com/2022/nitectf-2022 (Zeyu2001)
- https://github.com/CyberTaskForce-Zero/niteCTF-2022-Undocumented-js-api (CyberTaskForce-Zero)
- https://squ1rrel.dev/tag/nitectf/ (Sq1rrel/nisala)
- https://github.com/Walid-Berrouk/NiteCTF_2k22_Write-Ups/tree/master/web/Undocumented_js-api
- https://crt.sh/?q=jsapi.tech (List of all solutions)