Shibuya.XSS JIZEN GAKUSHU Challenge 2
Shibuya.XSS JIZEN-GAKUSHU Challenge 2
This challenge was posted by Masato Kinugawa in March 2016, accompanying the Shibuya.XSS event in Tokyo.
- http://shibuya.vulnerabledoma.in/jizen2 (Challenge Website)
- http://shibuyaxss.connpass.com/event/28232/ (Event Website)
- https://speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-7 (Slides by Masato)
Note, that this solution only works when loaded from a EML page - not a HTML website. Masato's model solution shown below is a bit more flexible.
The model solution created by Masato Kinugawa:
Why does that work?
There is several reasons why this works, and several tricks being used to attack the seemingly secure page:
- The page is being embedded by an external page, that itself is using MSIE document mode 9
- By doing so, not only the embedding page runs in IE9 mode, the embedded one does as well!
- The page is being loaded via an
objectelement. This will have an interesting effect on MSIE!
- In this constellation, IE9 mode and embedded by an
object, the property
location.pathnamewill not be prefixed by a slash! That opens the door for an attack.
- Now, in addition to that, the server configuration of the challenge page allows to use encoded slashes, see the Apache docs about the setting called
Combining those tricks, MSIE9 document mode 9, embedding the challenge page to get a
location.pathname without slash and in addition the abuse or Apache's
AllowEncodedSlahses sets all conditions necessary for the alert to pop.
Challenge solved :)