2024 Hack The Boo: Cursed Stale Policy

#htb #ctf #web #csp #cache #security-policy

Challenge Information

AttributeDetails
Event2024 Hack The Boo
CategoryWeb
ChallengeCursed Stale Policy

Summary

The Cursed Stale Policy challenge focuses on exploiting improper caching and Content Security Policy (CSP) configurations in a modern web application. The vulnerability lies in the interaction between stale cache management and CSP directives, allowing attackers to bypass security controls through carefully crafted requests.

Analysis

Application Architecture

The challenge features a full-stack JavaScript application:

Frontend: Vue.js-based SPA with:

  • Dynamic form handling
  • Real-time DOM manipulation
  • Socket.io for WebSocket communication
  • Syntax highlighting and element highlighting modules

Backend: Node.js/Express server with:

  • CSP middleware implementation
  • Vite development middleware
  • WebSocket/Socket.io handlers
  • Multiple route handlers for CSP testing

Key Vulnerabilities

  1. Stale Cache Interaction: The caching headers interact poorly with CSP policies
  2. Policy Bypass: Carefully timed requests can exploit the stale-while-revalidate pattern
  3. CSP Directive Issues: Misconfigurations in CSP headers create exploitation opportunities

Vulnerable Components

CSP Middleware (/challenge/backend/middleware/cspMiddleware.js):

  • Sets Content-Security-Policy headers
  • May not properly handle cache directives
  • Could allow stale content to bypass CSP checks

Vite Middleware (/challenge/backend/middleware/viteMiddleware.js):

  • Development server integration
  • May not apply CSP properly in development mode
  • Could expose resources that should be restricted

Solution

Step 1: Analyze CSP Headers

Examine the CSP headers returned by the application:

// In cspAnalyzer.js - understand the policy structure
const cspPolicy = headers['content-security-policy'];
// Look for:
// - missing directives (default-src not specified)
// - overly permissive directives ('unsafe-inline', wildcard sources)
// - missing X-Content-Type-Options: nosniff

Step 2: Test Cache Behavior

Make multiple requests to observe caching behavior:

  1. First request (cache miss)
  2. Subsequent requests (cache hit)
  3. Requests with cache-control headers

Step 3: Exploit Stale Cache

Send requests during the stale-while-revalidate window:

// Request during stale window
const response = await fetch('/api/content', {
    headers: {
        'Cache-Control': 'stale-while-revalidate=300'
    }
});

Step 4: Bypass CSP

Deliver content that violates CSP through the stale cache:

  • CSS with inline styles
  • JavaScript with inline code
  • Images from non-whitelisted sources

Step 5: Extract Flag

Once CSP is bypassed, extract the flag from protected resources.

Backend Code Structure

Main App (/challenge/backend/app.js):

const express = require("express");
const https = require("https");
const fs = require("fs");
const app = express();
const cookieParser = require("cookie-parser");
const bodyParser = require("body-parser");
const nunjucks = require("nunjucks");
const routes = require("./routes");
const Database = require("./database");


const db = new Database("party.db");


const privateKey = fs.readFileSync("/tmp/server.key", "utf8");
const certificate = fs.readFileSync("/tmp/server.cert", "utf8");
const credentials = { key: privateKey, cert: certificate };


app.use(bodyParser.urlencoded({ extended: false }));
app.use(express.json());
app.use(cookieParser());


nunjucks.configure("views", {
  autoescape: true,
  express: app,
});


app.set("views", "./views");
app.use("/static", express.static("./static"));


app.use(routes(db));

Route Handlers (/challenge/backend/routes/):

  • xss.js: XSS-related endpoints
  • csp.js: CSP testing endpoints
  • callback.js: Callback handlers
  • guidelines.js: CSP guidelines display

Key Takeaways

  • Cache Policy Interaction: Cache headers must be carefully coordinated with security policies
  • CSP Misconfiguration: Even small misconfigurations in CSP can lead to bypasses
  • Stale Content Risk: Stale-while-revalidate patterns can expose stale content to security risks
  • Defense in Depth: Rely on multiple layers of security rather than single controls
  • Testing Importance: Thoroughly test interactions between security mechanisms
  • Headers Matter: Understand HTTP header precedence and interaction (Cache-Control, CSP, X-Content-Type-Options)

Tools Used

  • Browser DevTools: For analyzing response headers and CSP violations
  • Burp Suite: For intercepting and modifying requests
  • curl/Postman: For manual header testing

References