Description
A collaborative pixel-art web app has an admin bot that reacts to reported artwork. The challenge involves using CSRF or XSS to trick the admin into triggering a privileged action, or exploiting a race condition in the pixel-writing logic.
Setup
Interact with the pixel-art app to understand the drawing mechanics.
Analyze the source code for CSRF protections, XSS sinks, or race conditions.
Set up an exfiltration listener and craft a malicious payload.
# Open the challenge URL in your browser and inspect the page sourcecurl -s http://saturn.picoctf.net:<PORT_FROM_INSTANCE>/ | grep -i csrfcurl -s http://saturn.picoctf.net:<PORT_FROM_INSTANCE>/ | grep -i scriptSolution
Walk me through it- Step 1Audit the app for vulnerabilitiesRead the page source and JavaScript. Look for: missing CSRF tokens on state-changing requests, unsanitized innerHTML rendering of art titles or descriptions, or unprotected admin-only endpoints.
Learn more
CSRF (Cross-Site Request Forgery): if the app uses cookie-based authentication and doesn't validate a CSRF token, an attacker can create a page that makes requests on the victim's behalf. Example: an image tag or form submission that calls an admin action.
XSS: if artwork names, descriptions, or chat messages are rendered without escaping, injecting a script payload will execute in the admin bot's browser when it views the art.
Race condition: if there's a check-then-act pattern (e.g., check if pixel is owned, then write), two concurrent requests can both pass the check before either updates the state, allowing double writes or privilege escalation.
- Step 2Exploit the identified vulnerabilityCraft a CSRF page (if CSRF) or inject a stored XSS payload (if XSS sink found) to execute actions as the admin bot.bash
# For CSRF: create an HTML page that auto-submits to the admin action endpoint # For stored XSS: find where unsanitized user input is rendered and inject payload # Example CSRF auto-submit page: cat > exploit.html << 'EOF' <form id='f' action='http://CHALLENGE_URL/admin-action' method='POST'> <input name='action' value='give_flag'> </form> <script>document.getElementById('f').submit()</script> EOFLearn more
For a CSRF attack: host the exploit page on a public server (or use webhook.site), then report that URL to the admin bot. When the bot visits your exploit page, the embedded form or fetch() request will fire against the challenge server, carrying the bot's session cookie automatically (same-origin cookies).
CSRF defenses include: CSRF tokens (random values bound to the session), SameSite cookie attribute (
SameSite=StrictorLaxprevents the cookie from being sent in cross-site requests), and checking the Origin header.For a race condition exploit: send many simultaneous requests (using asyncio, threading, or Burp Repeater's parallel send feature) to win the race between the check and the update.
- Step 3Collect the flag from the admin's response or sessionAfter the admin bot executes your action, the flag appears in the app's state, in a response, or is exfiltrated to your listener.
Learn more
After exploitation, check: the app's main page for newly visible content (the flag may appear publicly), your webhook listener for exfiltrated data, or the admin panel URL directly (if the admin action gave you elevated privileges).
Real-world collaborative apps (Figma, Miro, Notion) have extensive security reviews precisely because user-generated content is rendered to other users. Content security policies, DOMPurify sanitization, and strict CSRF protections are standard defenses. This challenge illustrates what happens without them.
Flag
picoCTF{...}
This challenge was not solved during the competition. Exploit a CSRF vulnerability or stored XSS in the pixel-art app to trick the admin bot into revealing the flag.