webhard

Mirror Temple B-Side

dicectf_2026

Task: Steal admin's flag from httpOnly JWT cookie in a Spring Boot app with strict SHA384-only CSP. Solution: Bypass CSP entirely via Charon reverse proxy endpoint that serves content without security headers, enabling same-origin XSS through httpbin base64 HTML hosting.

$ ls tags/ techniques/

jwt xss kotlin reverse_proxy spring_boot csp_bypass puppeteer trusted_types charon_proxy httpbin sha384_csp

proxy_csp_bypasstwo_stage_xsssame_origin_html_injection_via_proxyhttpbin_base64_html_hostingcookie_exfiltration_via_image_beacon

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]