Fetch the Flag CTF 2022 writeup: Disposable Message

The Disposable Message challenge at Fetch the Flag 2022 was a CSS injection-based exploit that required exploiting a Content Security Policy (CSP) restriction. The challenge involved using CSS injection techniques to extract information from a web page, specifically the flag value, which was stored in a `data-flag` attribute within an HTML div element. The challenge was made difficult by a strict CSP that prevented direct use of CSS injection techniques. However, by taking advantage of the fact that disposable messages could only be viewed once and using this to check for 404 status codes, it was possible to extract the flag value character by character. The exploit code used Python and involved generating messages with specific CSS selectors that would trigger URLs when values matched certain patterns. The exploit also encoded the query string parameter in its entirety to trick the admin bot into including it in the view message URL. Once the full flag was obtained, it could be extracted and returned as the solution.