webhard

Mirror Temple

dicectf_2026

Task: Spring Boot web app with Puppeteer admin bot; steal flag from httpOnly JWT cookie. Solution: Two-stage XSS via proxy CSP bypass - Charon proxy serves content without CSP, use httpbin base64 endpoint to host XSS payload on same origin.

$ ls tags/ techniques/

jwt xss kotlin reverse_proxy spring_boot csp_bypass puppeteer trusted_types charon_proxy httpbin

proxy_csp_bypasstwo_stage_xsssame_origin_html_injection_via_proxyhttpbin_base64_html_hostingcookie_exfiltration_via_image_beacon

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]