Official Stylish Discussion

Official discussion thread for Stylish. Please do not post any spoilers or big hints.

Nice challenge. Read the code meticulously. You’ll figure out

Anyone got any hints?

I got to the injection but can’t UNION after LIMIT… any hints?

oh… never mind… I got it… I will have to write a small code to make it more elegant… nice kek

Hi, need a hint please…

Hint 1:

app.use(function(req, res, next) {
	res.setHeader("Content-Security-Policy", "default-src 'self'; object-src 'none'; img-src 'self'; style-src 'self'; font-src 'self' *;")

Hint 2:

	async getSubmissionComments(submissionID, pagination=10) {
		return new Promise(async (resolve, reject) => {
			try {
                const stmt = `SELECT content FROM comments WHERE id_submission = ${submissionID} LIMIT ${pagination}`;
                resolve(await this.db.all(stmt));
			} catch(e) {


i got approvalToken but i cannot execute a successfully approval with token i’ve generated for my id

Finally understood pwned thanks

Im stuck here, any hints?

Hey can you drop another hint for me.The hint 1 provided by you was very helpful but still I am not able to figure out the exact injection payload.
I tried lot of css injection techniques, but i am unable to get the approval token.

how can we send Out-of-Band while only font-src ‘self’ * can use? img and style-src both self :<<

For the injection. What if you can’t get any strings? Maybe you can get some number…
As long as you have 255 comments or more… you can represent any ascii char using numbers…

i can steal all char in the token but i dont know the order :<<

1 Like

look at the token generation algorithm… I am sure you will sort it out…

yeh, i can steal the token but 2 days i try to bypass it const isAdmin = req => ((req.ip == ‘’) ? 1 : 0);
It was taken me a lot of time. I still dont bypass ssrf here :<<. smb help me

been going to school on this one what works there does not seem to work here. it seems i can steal all but what need, tells me i m missing class and forgot my id.

having to code has made it even more frustrating as it lets you test what you can do after you have the token.

maybe you could trigger the approval using the same trick you used to find the token…

sometimes just posting helps you figure out how to see what you could not see…

■■■, that sooooo coool