Can you spot the vulnerability? 16022023 intigriti

Last updated on November 5, 2023

Given Code Snippet:

Code review:

easy-eval.js

if (window.debug) {\
    eval(window.debug.toString()); //using eval at DOM element with id "debug"\
  //only a and area tag can be used in attack as they are capable of using href attribute. toString get only that attribute\
}

easy-xss.js

const pos = document.URL.indexOf('name=') + 5; //user input\
const name = document.URL.substring(pos, document.URL.length)// just paring GET parameteres\
const container = document.getElementById('container');\
container.innerHTML = decodeURI(name); // no proper sanitization

index.html

//can't use inline script tag because it has to be src "self"\
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-eval'">\
<div id="container"></div>\
<script src="easy-eval.js"></script>\
<script src="easy-xss.js"></script>

The Vulnerability

User input is passed in name parameter straight to the innerHTML so it would be rendered by browser for example inserting <h1>asdf</h1> makes asdf bold in browser, so HTML tag is parsed correctly.

Exploitation

Here, The application’s CSP — Content Security Policy is not enough to stop executing arbitrary JavaScript code.

Using iframe with srcdoc attribute allows to fullfill defaul-src: self condition of CSP. This is because iframe with srcdoc is assumed src= self. This with addition to no proper sanitization allows to inject JavaScript code in the victim browser.

Payload

http://127.0.0.1:8000/?name=<iframe srcdoc="<a id=debug href=pb:alert(document.domain)><script src=easy-eval.js></script>">

The srcdoc attribute inject a tag with id=debug which allows to pass if statement in easy-eval.js then href attribute is set to pb:alert(document.domain) the first part pb should be a non-existing protocol. Any protocol that contains // would not work because in javascript // is comment. So http:// or ftp:// would result in commenting the payload and never executing it properly.

After that easy-eval.js is called again to re-initialize the script and execute code in it.

XSS

Paweł Wąsik and I worked together to understand and identify the JS code and the vulnerability respectively. This challenge seems to be quite interesting and we were able to gain new knowledge from it.

Thanks Richard for providing an excellent explanation that greatly contributed to our understanding of the subject.

Refer to this thread to gain a better understanding of the issue.

https://twitter.com/h43z/status/1626237041787940867?s=20

Connect with us at -

Twitter — Prashanth, Pawel

Here’s a link to the next fun challenge Leek NFT challenge 0223 — Intigriti.

Next ⤵️

Leek nft challenge 0223 — intigriti

Here are all the notes in this garden, along with their links, visualized as a graph.