WriteUp - SecurityFest CTF 2018 - Excess Ess 1
It's the description of a challenge and the explanation on how to solve it.
CTFs are international events, and good places for sharing knowledge, tricks and ideas, thus english is the chosen language for writeups. So if you're french-only, I'm sorry... :/
1 - The goalMost of the time, to prove that an XSS is possible, the hacker provides a payload that pops an alert. And that's exactly what we're asked to do. So we first feed a simple word to see if it's reflected in the webpage. We do so and see that the keyword is reflected as a variable content in our page.
2 - The protection
So we don't have it anymore... How to use it then ?
3 - The bypass / solution
4 - The code
i = document.createElement("iframe");
So the final payload submited was :
5 - ConclusionUsing a blacklist system is never a good solution, mainly with javascipt / python / SQL / ... because there are so many ways to bypass blocked keywords, edit or recreate objects and functions easily, that this kind of sandboxing / protection is definitely not effective enough.
Even if this trick isn't new to me, I never had to use it before, so it was quite cool to try it by my own and realize that it's a really easy and fun trick to use !
Later during this CTF, a second version of this challenge has been released, "Excess Ess 2". I've spent few hours on it. We were controling fields in a meta tag, but not the content part. If you're aware of a way to exploit an XSS in a meta tag, without the content field, without <> to create a new entity, or a way to overwrite the content attribute, please tell me, I'll be glad to know !
Hope you liked this write up,
Have a great day ! ^~^