PoisonedNote V2
MediumWeb Security
Overview
SCENARIO
A note-taking application, now with a Content Security Policy the developer is particularly proud of. XSS is still in the picture, but the CSP is standing in the way. Tight restrictions, a trusted CDN, and a nonce-based script allowlist.
You have full access to the source code. Read through every endpoint carefully, and find the vulnerability
Flag format: flag{}
Infrastructure
- Docker Container — HTTP on port 3000
Provided Files
- poisonednote2.zip (5.7 KB)
Job Positions
Penetration Tester
Tags
XssContent Security PolicyOpen RedirectSource Code ReviewJavascript