CSP Bypass can't be solved with Hastebin anymore (once again)

[c0mput3r5c13nt15t]

Describe the bug
Hastebin which was the alternative to pastebin changed their API to require authentication for getting the raw content (see docs). You can't however add the required token as a URL parameter, but instead have to set the header, which makes the challenge unsolvable. (Unless you use something like Burp Suite to capture the request and change the header, which is not meant to be part of the challenge.)

To Reproduce
Steps to reproduce the behaviour:

1. Go to hastebin
2. Create a script
3. Share it
4. Replace /share/ with /raw/
5. Be disappointed because you get a 401

Expected behaviour
You would expect to just get the raw content.

Screenshots
This is the error message you get when trying to access the raw content

Additional context
Hastebin docs for reference

Links to the hastebin
https://hastebin.com/share/omicituwup.scss
https://hastebin.com/raw/omicituwup.scss (will give you the shown error message)

Hope it helps and that I didn't overlook anything.

[digininja]

Any suggestions for alternatives?

…

On Wed, 1 Mar 2023, 21:53 Paul Maier, ***@***.***> wrote: *Describe the bug* Hastebin which was the alternative to pastebin changed their API to require authentication for getting the raw content (see docs). You can't however add the required token as a URL parameter, but instead have to set the header, which makes the challenge unsolvable. (Unless you use something like Burp Suite to capture the request and change the header, which is not meant to be part of the challenge.) *To Reproduce* Steps to reproduce the behaviour: 1. Go to hastebin 2. Create a script 3. Share it 4. Replace /share/ with /raw/ 5. Be disappointed because you get a 401 *Expected behaviour* You would expect to just get the raw content. *Screenshots* This is the error message you get when trying to access the raw content [image: Screenshot_20230301_224724] <https://user-images.githubusercontent.com/76663511/222272279-d6dfacbd-dea4-4212-accd-83aa48804712.png> *Additional context* Hastebin docs <https://www.toptal.com/developers/hastebin/documentation> for reference Links to the hastebin https://hastebin.com/share/omicituwup.scss https://hastebin.com/raw/omicituwup.scss (will give you the shown error message) Hope it helps and that I didn't overlook anything. — Reply to this email directly, view it on GitHub <#539>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA4SWP5G66TYZNJZIWM2XDWZ7APLANCNFSM6AAAAAAVMTD4XY> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[c0mput3r5c13nt15t]

Could GitHub Gist work?

[digininja]

Looks like it might, but it seems too obvious that I didn't look at that in the first place so there may be some catch it with. I'll have a look in the morning.

…

On Wed, 1 Mar 2023, 21:59 Paul Maier, ***@***.***> wrote: Could GitHub Gist work? — Reply to this email directly, view it on GitHub <#539 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA4SWI7X65WK6P7NKOYCRLWZ7BEFANCNFSM6AAAAAAVMTD4XY> . You are receiving this because you commented.Message ID: ***@***.***>

[c0mput3r5c13nt15t]

Just checked but there seems to be the same MIME type issue that already made postbin useless

[digininja]

There had to be a reason!

…

On Wed, 1 Mar 2023, 22:05 Paul Maier, ***@***.***> wrote: Just checked but there seems to be the same MIME type issue that already made postbin useless — Reply to this email directly, view it on GitHub <#539 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA4SWLRAMM7UEXBWJ6OULLWZ7BZ5ANCNFSM6AAAAAAVMTD4XY> . You are receiving this because you commented.Message ID: ***@***.***>

[c0mput3r5c13nt15t]

I've now tried a few of these services, but all of them seem to suffer from this issue

[digininja]

I've asked on Twitter for alternatives, will see what comes back.

https://twitter.com/digininja/status/1631238650951245824