SAPPY - Google CTF 2024

TLDR;

The challenge takes the user input URL and accesses it with a bot.

We abused the goog.uri library that has a regex that allowed \ usage which we used to bypass the getDomain() == challenge.com and make it load our website. We made a URL with two URLs in it :
\\\\mypage%2Ecom\\://sappy.chall/ → \ is being normalized in the URL as a /

We passed a URL to our site which then bot accessed and opened a window of the challenge website and send a post message to the challenge site that had an event listener for messages.

Following the source code, we hosted a json file on mypage.com that had XSS in it, which would then be loaded on the page.