Tags: web xss cookies
Rating: 4.0
A link was provided to `https://imgr.pwn.institute/`, a not-yet-finished image sharing social networking site.
There were two pages available, `/login` and `/register`. The login form didn't accept any silly input (`admin:password`) so I registered an account and logged in.
It seemed the homepage was empty and the only functionality offered was to upload a profile picture on the `/profile` page, and submit a link to report any bugs to the developers on the `/report` page. I checked to see the login state appeared to be saved in a JWT cookie on the browser which was **not** set to HTTP only.
From this it seemed clear the solution was going to involve sending a link to the developers using the report feature, to a page that contained a XSS attack to leak their session cookie and thus allow me to login to the service as some form of elevated user. It seemed clear the only avenue I had of achieving a XSS was uploading some form of malicious image. Taking a look at the image upload form it appeared to allow anything to be uploaded as long as it had a JPG extension. I played around with possible uploads for a while, but of course I would need to link to a page that contained the image (assuming I could get an XSS from an image...) and at the moment it wasn't clear what that page would be as the `/profile` page would of course point to *their* profile not mine...
Looking around within the HTML code of the homepage I spotted the following HTML comment `` which of course answered this question! This page allowed you to pass an `image id` in the URL which could be taken from the URL of the profile image after uploading, and appeared to output the metadata (*exif* data) of that image into the page... bingo!
I used `exiftool` to create a proof of concept JPG with a simple `hello world` value set as the image description within the metadata of the file, and sure enough after uploading the file and going to the `/imageinfo/<imageid>` endpoint, I saw a bold **hello world** in the page. With the proof of concept done the final steps were just to upload a suitable payload and submit the link to the developers.
I opted for a payload in the JPG's exif data that looked as so ``, uploaded the image as my profile picture, noted the id of the uploaded image, went to `/imageinfo/<imageid>` and I saw my request fire out to my server with my cookie! I copied the url of the page and submitted it using the report feature. A few seconds later, I saw a request come in containing the flag - no need to log in with a cookie to get it after all, the developer's cookie was the flag.