Comment on page
Payback

Description
We got ourself a premium flag shop.
payback.zip
277KB
Binary
Solution
Code Review
The app consists of two parts - the frontend and the payment backend (front and payment). Interestingly the user accounts for the frontend and backend are separate!
When performing a transaction, a message is signed using ED25519 to prevent tampering. The message format is user{u}amount{amount}nonce{nonce}. The amount is checked, and since our balance is 0, we can only use 0 for the amount.
@app.route('/pay', methods=['GET', 'POST'])
def pay():
    if 'logged_in' not in session:
        return redirect(url_for('login', next=request.url))
​
    if request.method == "GET":
        return render_template('amount.html')
​
    amount = int(request.form.get('amount', 0))
​
    user = User.query.filter_by(name=session['name']).first()
​
    if amount > user.balance:
        return "Insufficient balance", 400
​
    if amount < 0:
        return "Invalid amount", 400
​
    cb = request.args['callback']
    u = request.args['user']
    nonce = request.args['nonce']
​
    m = f"user{u}amount{amount}nonce{nonce}".encode()
​
    sig = SIG_KEY.sign(m, encoding='hex')
​
    user.balance -= amount
    db.session.commit()
​
    return redirect(f"{cb}/callback?user={u}&amount={amount}&nonce={nonce}&sig={sig.decode()}", code=302)
The user is redirected to /callback on the frontend application.
This message is then verified by the frontend.
def callback():
    message, signature = b"", b""
​
    for param in request.args:
        if param == "sig":
            signature = request.args[param].encode()
            continue
​
        for value in request.args.getlist(param):
            message += param.encode()
            message += value.encode()
    
    print("Message", message, flush=True)
​
    try:
        verify_key.verify(signature, message, encoding='hex')
​
        user = User.query.filter_by(name=session['name']).first()
        nonce = int(request.args['nonce'])
​
        if nonce <= user.nonce:
            raise Exception
​
        user.nonce = nonce
        user.balance += int(request.args.get('amount', 0))
        db.session.commit()
    except:
        traceback.print_exc()
        return "Something went wrong", 400
​
    return redirect('home')
Notice that it iterates through the list of GET query parameters and adds them to the message before verifying that the message is the same as the one generated above.
Then, request.args.get('amount') is added to the user balance.
Parameter Pollution
Well, what if there are two amount arguments? Only the first occurrence is returned by request.args.get (so the amount added to the user's balance is the first amount argument), yet both occurrences are added to the message to be verified.
Since the message format is user{u}amount{amount}nonce{nonce} we can simply create a user with the username FRONTEND_USERNAMEamount1337. The resulting message is then userFRONTEND_USERNAMEamount1337amount0nonceNONCE.
The server gives us the signature for this message.
Then, we perform parameter pollution on the frontend:
GET /callback?user=FRONTEND_USERNAME&amount=1337&amount=0&nonce=NONCE&sig=SIGNATURE.
Due to the way the frontend processes the parameters, this will result in the exact same message as above being checked, although carrying a different meaning.
We have successfully added 1337 coins to our account!
The flag is CSR{sometimes_it's_really_hard_to_create_good_flags}
Enterprice File Sharing
Stonks Street Journal
Last modified 1yr ago