c/ctf/2025-tjctf/web/double-nested #16

2025-06-23T07:26:11Z

giscus[bot]
bot Jun 23, 2025

c/ctf/2025-tjctf/web/double-nested

It was immediately clear that we can get a 'hosted' JS endpoint with /gen.

https://yun.ng/c/ctf/2025-tjctf/web/double-nested

p5ych2022 · 2025-06-25T11:54:14Z

p5ych2022
Jun 25, 2025 — with giscus

What does "their poc don't work since images are blocked" mean? My understanding is that the iframe here, which obtains the parent page referer through data, is at an unsafe level under the policy of strict-origin-when-cross-origin

1 reply

octo-kumo Jun 26, 2025 — with giscus
Maintainer

iirc, images are blocked completely by the csp.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

c/ctf/2025-tjctf/web/double-nested #16

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

c/ctf/2025-tjctf/web/double-nested #16

Uh oh!

giscus[bot] bot Jun 23, 2025

c/ctf/2025-tjctf/web/double-nested

Replies: 1 comment · 1 reply

Uh oh!

p5ych2022 Jun 25, 2025 — with giscus

Uh oh!

octo-kumo Jun 26, 2025 — with giscus Maintainer

giscus[bot]
bot Jun 23, 2025

Replies: 1 comment 1 reply

p5ych2022
Jun 25, 2025 — with giscus

octo-kumo Jun 26, 2025 — with giscus
Maintainer