layout | title | subtitle | cover-img | thumbnail-img | share-img | tags | |
---|---|---|---|---|---|---|---|
post |
Intigriti's Nov XSS Challenge Writeup |
XSS |
/assets/img/wsc.jpg |
/assets/img/wsc.jpg |
/assets/img/wsc.jpg |
|
Challenge URL https://challenge-1122.intigriti.io/
Basically, this is also a note-taking application like my previous month's challenge. The goal of the challenge is to take over the admin's account which has the flag in it.
- This Challenge is Organized in a bit
differentweird way. - The Notes Application is running on
api.challenge-1122.intigriti.io
andcdn.challenge-1122.intigriti.io
is used to store the notes and profile pictures of users - Interestingly
cdn.challenge-1122.intigriti.io
uses Varnish to cache static files - Also, the Javascript code in
api.challenge-1122.intigriti.io
reflects one subdomainstaging.challange-1122.intigriti.io
, and staging the domain also runs the same application. But Here is an ATO vuln. Basically, JWT used to sign the token are same for staging and the main domain. So, we can register any username onstaging
and use the signed JWT onapi.challenge-1122.intigriti.io
to take over any account. (admin username is unpredictable)
- Notes are stored in the pattern of
cdn.challenge-1122.intigiti.io/<username>-<uuid>.html
- Also, CSP Present in the Response Header
Content-Security-Policy: script-src 'none'; object-src 'none'
. So, Javascript executions will be blocked
- As you can see, the below picture reflects that profile pictures are cached and served from cache
X-Cache: HIT
- After playing a bit, found that vanish caching the static files, and it identifies "Static files" if the extension is
.png
or.jpg
...
- By sending the below request 2 times, we can clearly see, this request is identified as a "static file" and cached by varnish.
- Surprisingly, there is no CSP Here. So, By Abusing this, it is possible to Exploit XSS here.
- I found 2 possible solutions.
-
Use the Above XSS to Register a Service Worker on
cdn.challenge-1122.intigriti.io
to cache all requested pages. => redirect the Admin bot toapi.challenge-1122.intigriti.io
and when this page loads, notes created by the admin bot will be loaded into the page => service worker caches the pages => send the cached URLs over to attacker's site -
Another Solution is, with the XSS in
cdn.challenge-1122.intigriti.io
, callingwindow.open("https://api.challenge-1122.intigriti.io")
and when theapi.challenge-1122.intigriti.io
loads, it will load all posts create by the user (admin bot here) by framing thecdn.challenge-1122.intigriti.io/<username>-<uuid>.html
=> Here,api.challenge
is a child andcdn.challenge
is the parent. So, it is possible to read the frames src fromcdn.challenge
onapi.challenge
if the frame-src is the same origin ascdn.challenge
.
-
- After leaking the iframe link, we can find the username of the admin, we can create an account on
staging
domain with that username => get signed JWT => use that JWT onapi.challange-1122.intigriti.io
to the takeover admin account. The flag is on Admin's profile pic.
INTIGRITI{workinghardorhardlyworking?}
That's one writeup is awesome.☺️
Thanks you for giving this.