Analyzing Character Length Changes with the upper() Method

Hello Everyone, I’d like to share an intriguing discovery I made during a recent CTF (Capture The Flag) challenge centered around the Python upper() method.

Source Code:

@app.route('/login',methods=['GET','POST'])
def login():
    if request.method == 'GET':
        return render_template('login.html')
    elif request.method == 'POST':
        if len(request.values["username"]) >= 40:
            return render_template_string("Username is too long!")
        elif len(request.values["username"].upper()) <= 50:
            return render_template_string("Username is too short!")
        else:
            return flag

Our Goal is to get the flag here but we need to satisfy some conditions to get that.

We have to bypass IF conditions to get the flag,

1. Check if the length of the username ≥40. Our input should be less than 40 to bypass this check.
2. Checks if the length of the same username when converted into uppercase (using upper()) is less than 50. Our input should be greater than 50 to bypass this check, such that the other part will get executed.

It Seems impossible right? No, there is a way to bypass this.

First, our initial step involves examining whether there are any characters that exhibit a length greater than 1 when passed through the upper() method.To accomplish this, I crafted a Python script and systematically evaluated all characters within the range of 0 to 500

for i in range(0,500):
    t=chr(i)
    if(len(t.upper())>1):
            print(f'character:{t} (ascii {i}) || lowercase length {len(t)} || when converted into uppercase its length is {len(t.upper())} ||')

Output:

character:ß (ascii 223) || lowercase length 1 || when converted into uppercase its length is 2 ||
character:ʼn (ascii 329) || lowercase length 1 || when converted into uppercase its length is 2 ||
character:ǰ (ascii 496) || lowercase length 1 || when converted into uppercase its length is 2 ||

Interestingly, we discovered certain characters that exhibit unique behavior. Now, our next objective is to utilize these characters to effectively bypass the conditions established by the upper() method.

By using the character ‘ß’ repeated 39 times as the username passes the first condition and while converting the same characters into upper() it’s length becomes 78 which also passes the second condition and we can finally get our flag.

Our Final Script:

s = 'ß'*39
print("Original string:", s)
print("Original string length:", len(s))
print("Uppercase version:", s.upper())
print("Uppercase version length:", len(s.upper()))

Output:

Original string: ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
Original string length: 39
Uppercase version: SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
Uppercase version length: 78

And that concludes our exploration! If you found this analysis intriguing, stay tuned for more insightful writeups in the future. Until then, happy hacking .

Socials:

https://www.linkedin.com/in/arun-balaji20/