Web - Client
CSP Bypass - Dangling markup 2 | Questions about the robot and the difference between this one and CSP Bypass - Dangling markup 1
Hello, I’m working on CSP Bypass - Dangling markup 2 and get stuck.
I have searched a lot of keywords and read a lot of materials, but still can’t find a way to solve it.
So I come here with some questions about this challenge.
Q1. What is the difference between CSP Bypass - Dangling markup 1 and CSP Bypass - Dangling markup 2 ? Except for changing ’flag’ to ’flagi’ and different browsers.
Q2. [redacted]
Q3. [redacted]
Q4. Should I need to set up a server to receive the result ? ( I mean whether requestbin is not enough for this challenge. Maybe I need to use something like nc ? I have tried setting up a rogue ftp server and received nothing from the robot.)
Thanks in advance to anyone who can give me a hand.
CSP Bypass - Dangling markup 2 | Questions about the robot and the difference between this one and CSP Bypass - Dangling markup 1
Finally, I got it !!! 😄 For a medium-difficulty challenge, I spent much more time than it should take. 😕
To latecomers :
Some things may not work on your browser, but you can give it a try on the server. With the last hope, I used Burp Suite to submit a lot of payloads (It seems that this challenge has a more strict submission than usual (https://www.root-me.org/?page=faq), and I got lots of 429 at a very low speed) and some of them work. 😇
Don’t think too much, there are ready-made cheat sheets online.
I think I can answer my questions above.
Q1 : Mainly the browser is different. Chrome seems to be more secure.
Q2 : Some HTML elements are not restricted. I’m on the right way.
Q3 : It seems not.
Q4 : That is not necessary, RequestBin is enough. The ftp protocol scheme does not seem to work.
CSP Bypass - Dangling markup 2 > FTP
Q4 : The ftp protocol scheme does not seem to work.
Anyway, I tested FTP on local and there is a problem with the question mark in the text. This question mark "broke" the URL (Wireshark capture) :
FTP
220 pyftpdlib 1.5.6 ready.
USER anonymous
331 Username ok, send password.
PASS chrome@example.com
230 Login successful.
SYST
215 UNIX Type: L8
PWD
257 "/" is the current directory.
TYPE I
200 Type set to: Binary.
SIZE / !</h1> <div class="message"> <p>At Quackquack corp the developers think that they do not have to patch XSS because they implement the Content Security Policy (CSP). But you are a hacker, right
550 / !</h1> <div class="message"> <p>At Quackquack corp the developers think that they do not have to patch XSS because they implement the Content Security Policy (CSP). But you are a hacker, right is not retrievable.
CWD / !</h1> <div class="message"> <p>At Quackquack corp the developers think that they do not have to patch XSS because they implement the Content Security Policy (CSP). But you are a hacker, right
550 No such file or directory.
PASV
227 Entering passive mode (127,0,0,1,221,1).
RETR / !</h1> <div class="message"> <p>At Quackquack corp the developers think that they do not have to patch XSS because they implement the Content Security Policy (CSP). But you are a hacker, right
550 No such file or directory.
QUIT
221 Goodbye.
– URI > You must encode question mark (?) characters that are in the path : https://www.ibm.com/docs/en/datapower-gateway/10.0.1?topic=open-url-ftp
That’s a shame, I think that exfiltrate with another protocol could be more interesting than changing the "dangling markup".
CSP Bypass - Dangling markup 2 | Questions about the robot and the difference between this one and CSP Bypass - Dangling markup 1
Hello there,
Is there an issue with csp bypass - dangling markup.
I succeeded in doing the second version while I’m stuck for the first. That’s the reason for my question.
If you have any advice or information, I’ll be glad to know it.
Thanks in advance.
Nouvelle réponse
Nouveau sujet