📚 h1-415-ctf: @_bayotop h1-415-ctf writeup

TL;DR: Thanks for the challenge! Abusing account recovery via QR codes to get access to [email protected]. Blind XSS in /support/review/<review_id> (including CSP bypass). Missing input sanitization on name parameter when POSTing to /support/review/<review_id>. Access to remote debugging port on local Chrome instance leaking ID of secret document. h1ctf{y3s_1m_c0sm1c_n0w} I also included a python script F691360 which is going through the whole challenge (it's a result of a number of scripts I used to automate repetitive tasks). Details Introduction https://h1-415.h1ctf.com hosted a simple web application allowing to convert images into PDF files. Anyone could register a trial account. Signing in would give access to the converter and basic account management which allowed only a name change. The converter allowed to upload JPG and PNG files only. The resulting PDF would include the uploaded image and the user's name. Step 1 - One '{' is all it takes. After a few attempts to include HTML in my user name (< and > were filtered) or trying to upload arbitrary files, both ways seemed as dead ends. I decided to focus on the account recovery flow. After a successful registration, the application would generate a QR code for account recovery. The QR code was a string in the following format: ascii_hex([email protected]):<some_random_secret_in_hex> After submitting the QR code to /recover, the applicaion would respond with a new session giving access to the user account. After... ...