Skip to content

CSAWCTF Quals 2025 - web/orion-override #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mmstoic wants to merge 1 commit into
base: main
Choose a base branch
from
Open

CSAWCTF Quals 2025 - web/orion-override #46

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added csaw-2025/web/images/inspect.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added csaw-2025/web/images/login.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
52 changes: 52 additions & 0 deletions csaw-2025/web/writeup.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# CSAW CTF Quals 2025: web/orion-override

## Context & Vulnerability

We are provided a website that has a login page. We are not provided with challenge source code.

## Exploitation

When we are presented with a login page, our first instinct is to bypass the login process with something like SQLi. In this case, logging in was actually much easier. If we inspect the site with our browser, we can see a comment in the HTML with a username and password (redacted in the challenge solutions):

![Image: log in page](images/login.png)

![Image: inspect results](images/inspect.png)

Upon logging in, we see a dashboard where we must click the "Abort" button to abort the mission. However, only admin is able to abort the mission.

We notice our URL, which ends in admin=false.

`http://localhost:3000/dashboard?admin=false`

Our first instinct is to switch false to true, but this still doesn't let us abort the mission.

We may try an HTTP parameter pollution attack, where we overload the parameters of the end of a URL in hopes that the backend doesn't properly check all fields. We try a URL as such:

`http://localhost:3000/dashboard?admin=true&admin=true`

Now, we see we are able to abort the mission!

## Vulnerability

A HTTP parameter pollution (HPP) vulnerability is caused by a misconfiguration in how parameters are parsed. The CTF organizers provided a snippet of how they parsed parameters in the solution:

```JavaScript
if (Array.isArray(adminParam)) {
// multiple admin params → check only last, no session check
if (adminParam.at(-1) === "true") {
return res.sendFile(__dirname + '/views/admin.html');
}
}
```

As we can see, the code only checks for the last parameter, and also doesn't do a session check to see if we are admin. These two vulnerabilities combined allow us to do HPP.

## Remediation

The solution here is simple: better configure your parameter checks to ensure the correct parameter is admin! Additionally, providing a session check that we are admin would help strengthen our app.

# Sources/Credits

Written by Madalina Stoicov

- https://github.com/osirislab/CSAW-CTF-2025-Quals-Public/tree/main