Differences
This shows you the differences between two versions of the page.
|
isc:labs:07 [2024/11/18 09:49] florin.stancu |
isc:labs:07 [2024/11/20 10:17] (current) radu.mantu |
||
|---|---|---|---|
| Line 149: | Line 149: | ||
| To workaround that, simply change XSS injection strategy to use ''onerror'' attribute on a invalid image, e.g.: | To workaround that, simply change XSS injection strategy to use ''onerror'' attribute on a invalid image, e.g.: | ||
| ''%%<img src='/404' onerror='alert("hello")'>%%'' | ''%%<img src='/404' onerror='alert("hello")'>%%'' | ||
| + | </note> | ||
| + | <note warning> | ||
| + | DO NOT EDIT the entire ''%%<div class="ql-editor" contenteditable="true">%%'' element! The JavaScript WISIWYG editor has internal reference to this node, and if you invalidate it, the editor will become broken (and the exploit won't work!!!). | ||
| + | |||
| + | The proper way is to choose a inner ''%%<p>%%'' (just write some random text inside the editor beforehand) and edit that instead! | ||
| </note> | </note> | ||
| Line 157: | Line 162: | ||
| * Unfortunately, **there's no flag for this one**, you just need to prove you modified the slogan using XSS! | * Unfortunately, **there's no flag for this one**, you just need to prove you modified the slogan using XSS! | ||
| - | <spoiler You you've never used JS DOM API: expand> | + | <spoiler If you've never used JS DOM API: expand> |
| <code html> | <code html> | ||
| // note: you need to concatenate this as a one-liner when injecting as 'onerror' | // note: you need to concatenate this as a one-liner when injecting as 'onerror' | ||
| Line 197: | Line 202: | ||
| ip addr show | ip addr show | ||
| </code> | </code> | ||
| + | * If on Firefox, try to disable Enhanced Tracking Protection on the malicious HTML (from the security icon on the left of the address), especially when you're coming from an external WSL IP address. | ||
| * Switch sides (you're the victim, now): open your malicious HTML page using the same web browser. | * Switch sides (you're the victim, now): open your malicious HTML page using the same web browser. | ||
| * //Note//: again, **make sure** you are logged in as ''admin'' inside the web app before doing the attack! | * //Note//: again, **make sure** you are logged in as ''admin'' inside the web app before doing the attack! | ||
