In this write-up, we'll go over the solution for the medium difficulty web challenge SteamCoin that requires the exploitation of multiple server-side and client-side vulnerabilities. The solution involves a JWT authentication bypass through JKU claim misuse using unrestricted file upload, HTTP request smuggling for ACL bypass, and XSS to CSRF on an automated UI testing service to exfiltrate the flag from CouchDB.
Visiting the application homepage displays a login form and a link to the registration page. Since we don't have an account, we can create an account via the registration page and log in. After logging in, the user is redirected to the following dashboard page:
The Settings page contains an upload form. We are allowed to upload an image or a pdf extension file, and the uploaded file link is displayed after a successful upload:
That is all the accessible features as a regular user on this web application. Since the source code is given for this application, we can take a look at the application routing from the routes/index.js file and see all the endpoints available: