Shibuya.XSS JIZEN GAKUSHU Challenge
Shibuya.XSS JIZEN-GAKUSHU Challenge
This challenge was posted by Masato Kinugawa in March 2016, accompanying the Shibuya.XSS event in Tokyo.
- http://shibuya.vulnerabledoma.in/jizen (Challenge Website)
- http://shibuyaxss.connpass.com/event/28232/ (Event Website)
- https://speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-7 (Slides by Masato)
The model solution created by Masato Kinugawa:
Note: You have to use unencoded characters instead of
%3c, copy&paste might break the PoC. You can also click here to play with the PoC: http://is.gd/6KL7sV
Tested and confirmed on MSIE11 and Edge (!).
Why does that work?
There is several reasons why this works, and several tricks being used to attack the seemingly secure page:
- First of all, jQuery mobile performs a navigation that is supported by the use of
- Check out the jQuery Mobile docs about
- As can be seen, on the website, a "tracking image" is built, using
mhtml:protocol handler allows to inject unencoded payload into the
- So, first the jQuery mobile framework "navigates" to the new URL, then the now infected
location.pathnameproperty will be used to create a HTML element
- Given the lack of encoding, we can now break the HTML string and create an active element. Aaaand, XSS.
Challenge solved :)