Sunday, October 23, 2016

Hack.me XSS challenge | solution



Hi ,


At June 10, 2016 I published a XSS challenge on hack.me platform I called Small Youtube XSS . If you are here just for solution and not interested in write-up here you go https://jsfiddle.net/n8dsb1w9/


Here was the roles and hints

Description

Hi , In this XSS challenge you need to use many tricks for make the vector works ! It is not so hard and not so easy .


Rules

  • No user interaction allowed . 
  • Use only modern browsers (IE11 , FF49 ... etc) 
  • We need to see alert box with domain name . 

Hints

  • Use (?xss=) for inject .
  • Try to find missing or weak *things* in HTTP header and HTML source (what else !? ). 
  • Have you ever been told that you are too short for join to basketball team ? now you are too long to XSS this :p 
  • watch the video for motivation (https://www.youtube.com/watch?v=hzBCI13rJmA) . 

If you solve it please contact me (a.hussam[at]isecur1ty.org) Last but not least enjoy



--------------------------------------------------------------------------


The challenge was run till now for 4 months and there are only 2 solvers and it has been started  more than 700 times . So here is the solution . 


Solution


I deleted the source code along time ago so I will try to guess what I wrote before . I made this challenge based on the multi-steps filters that do filtering in serial steps . 

  • First it replaces words like eval,setIntraval,setTimeout with (xss-event).
  • Second it remove script word (key of solution) .
  • Third it will replace event handler attributes with (xss-event) . (except 2 of them
  • Htmlentities is enabled on the xss parameter so less , greater than and double quotation  is useless .  



1
2
3
4
  <video width="450" height="400" controls name=injection_here>
    <source src="http://www.google.com/test.mp4" type="video/mp4">
  Your browser does not support the video tag.
</video> 


Our injection point is at video tag let's see even handler for video tag HTML5 Video Events and API


You will find them all has been filtered but two of them aren't !  onloadstart , onratechange 

onratechange  require user interaction so we excluded it .









The domain is filtered so we will use the script remove trick ! 






Another problem here ! the payload should be only 26 characters !


1
    $_GET['xss'] = substr( $_GET['xss'], 0, 26) ;



Plot twist 
(https://en.wikipedia.org/wiki/Plot_twist)

We should use another method to alert document.domain since the regular payload is too long . We should use eval() . eval with make our string works as JS code but where we could put a string ?! we can make it using window.name :)

eval is filtered but we need to use the sciprt trick again . so it will be evscriptal(name) .

So all in one will be


1
<a href="http://s25504-102604-rmx.tarentum.hack.me/myvideo.php?xss=''onloadstart=evscriptal(name)" target="javascript:alert(domain);">click me</a>



And here we are





there are a multi-way to give name to a window like window.open or name in iframe tag which I allowed to be framed but I made a frame busting in the page can be bypassed easily . 


Solvers 


  • Adam Simuntis (adam.simuntis[at]secforce.com) with nice and expected 
  • Lucas Philippe (Bug in my code which is fixed)



I hope you enjoy the write-up and  the challenge see you soon with another one .


If you want to contact me reach me my twitter account @Abdulahhusam