Differences
This shows you the differences between two versions of the page.
|
isc:labs:07 [2024/11/17 19:28] florin.stancu |
isc:labs:07 [2024/11/20 10:17] (current) radu.mantu |
||
|---|---|---|---|
| Line 142: | Line 142: | ||
| === 2 [30p]. Cross-Site Scripting === | === 2 [30p]. Cross-Site Scripting === | ||
| - | * Can you exploit the WISIWYG editor to do some JS code injection for all visitors? Try to display [[https://www.w3schools.com/js/js_popup.asp|a popup]] using a ''<script>'' tag, for starters! | + | * Can you exploit the WISIWYG editor to do some JS code injection for all visitors? Try to display [[https://www.w3schools.com/js/js_popup.asp|a popup]], for starters! |
| + | |||
| + | <note important> | ||
| + | For unknown reasons, ''<script>'' tags are automatically removed by the [[https://quilljs.com|Quill WISIWYG]] editor. | ||
| + | |||
| + | To workaround that, simply change XSS injection strategy to use ''onerror'' attribute on a invalid image, e.g.: | ||
| + | ''%%<img src='/404' onerror='alert("hello")'>%%'' | ||
| + | </note> | ||
| + | <note warning> | ||
| + | DO NOT EDIT the entire ''%%<div class="ql-editor" contenteditable="true">%%'' element! The JavaScript WISIWYG editor has internal reference to this node, and if you invalidate it, the editor will become broken (and the exploit won't work!!!). | ||
| + | |||
| + | The proper way is to choose a inner ''%%<p>%%'' (just write some random text inside the editor beforehand) and edit that instead! | ||
| + | </note> | ||
| * **//Hints//**: | * **//Hints//**: | ||
| * The rich text editor doesn't provide a visual way to inject JavaScript code... but you can use your browser's developer console to inspect and edit the ''#editor'''s HTML directly! | * The rich text editor doesn't provide a visual way to inject JavaScript code... but you can use your browser's developer console to inspect and edit the ''#editor'''s HTML directly! | ||
| Line 149: | Line 162: | ||
| * Unfortunately, **there's no flag for this one**, you just need to prove you modified the slogan using XSS! | * Unfortunately, **there's no flag for this one**, you just need to prove you modified the slogan using XSS! | ||
| - | <spoiler You you've never used JS DOM API: expand> | + | <spoiler If you've never used JS DOM API: expand> |
| <code html> | <code html> | ||
| - | <script> | + | // note: you need to concatenate this as a one-liner when injecting as 'onerror' |
| var elem = document.querySelector("span.classNameHere"); | var elem = document.querySelector("span.classNameHere"); | ||
| elem.innerHTML = "change the element's HTML directly using this!"; | elem.innerHTML = "change the element's HTML directly using this!"; | ||
| - | </script> | ||
| </code> | </code> | ||
| </spoiler> | </spoiler> | ||
| Line 190: | Line 202: | ||
| ip addr show | ip addr show | ||
| </code> | </code> | ||
| + | * If on Firefox, try to disable Enhanced Tracking Protection on the malicious HTML (from the security icon on the left of the address), especially when you're coming from an external WSL IP address. | ||
| * Switch sides (you're the victim, now): open your malicious HTML page using the same web browser. | * Switch sides (you're the victim, now): open your malicious HTML page using the same web browser. | ||
| * //Note//: again, **make sure** you are logged in as ''admin'' inside the web app before doing the attack! | * //Note//: again, **make sure** you are logged in as ''admin'' inside the web app before doing the attack! | ||
| Line 211: | Line 224: | ||
| * Can you steal the source code of the server-side code using HTTP only? | * Can you steal the source code of the server-side code using HTTP only? | ||
| - | * Once you found it, try to find the database credentials! | + | * Once you found it, try to find the hidden source code flag! |
| * Hint: try to guess the path to a [[https://docs.npmjs.com/files/package.json|well-known file]] that all NodeJS projects have! It may reference the main script's name! | * Hint: try to guess the path to a [[https://docs.npmjs.com/files/package.json|well-known file]] that all NodeJS projects have! It may reference the main script's name! | ||
| * You can try using a tool: [[https://cirt.net/nikto2|nikto]], ''apt install nikto'' | * You can try using a tool: [[https://cirt.net/nikto2|nikto]], ''apt install nikto'' | ||
