Skip to content

Shibuya.XSS JIZEN GAKUSHU Challenge

Cure53 edited this page Mar 30, 2016 · 5 revisions

Shibuya.XSS JIZEN-GAKUSHU Challenge

This challenge was posted by Masato Kinugawa in March 2016, accompanying the Shibuya.XSS event in Tokyo.



The model solution created by Masato Kinugawa:">%3Csvg%20onload=alert(1)%3E

Note: You have to use unencoded characters instead of %22 and %3c, copy&paste might break the PoC. You can also click here to play with the PoC:

Tested and confirmed on MSIE11 and Edge (!).

Why does that work?

There is several reasons why this works, and several tricks being used to attack the seemingly secure page:

  • First of all, jQuery mobile performs a navigation that is supported by the use of history.pushState()
  • Check out the jQuery Mobile docs about hashListeningEnabled and pushStateEnabled:
  • This is not a bug in itself, but combined with the existing JavaScript on the page, it becomes a vulnerability
  • As can be seen, on the website, a "tracking image" is built, using location.pathname
  • Combining history.pushState() with a mhtml: protocol handler allows to inject unencoded payload into the location.pathname property
  • So, first the jQuery mobile framework "navigates" to the new URL, then the now infected location.pathname property will be used to create a HTML element
  • Given the lack of encoding, we can now break the HTML string and create an active element. Aaaand, XSS.

Challenge solved :)

You can’t perform that action at this time.