Below you can find my solution for RoflScale task from CONFidence DS CTF 2016.
Proof of Concept:
We have proxy written in Python:
and program written in Ruby:
Our job is to send
/dump request to program through proxy.
In order to do that we need to check urlparse manual:
So when we run this code:
Knowing that we can try to put
So maybe we can encode
/ using Percent-encoding:
Again the same result. Why? Because unquote function is used. But only once. So maybe we can encode
http://localhost:3000/our_path;%2fdump is passed to Ruby as
if path.end_with? '/dump' evaluate to
Final solution is: