-
-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Advanced XSS [⭐] #1245
Comments
How about a CSP injection + onerror attribute XSS challenge? Something along the lines of: the user is allowed to post images and provide the alt-text in case they don't render correctly. The CSP disables inline scripts but the image link provided by the user is added to it. The rendered element then looks like :- while the CSP looks something like :- This functionality is implemented so that the user can use a payload like Should I go ahead with this? |
@bkimminich Can you please give your opinion on the above mentioned idea so I know if/how I should proceed with this? |
I like the idea of covering HTML attribute breakout like this! The question is, will Angular allow this to happen "naturally"? Is this maybe easier to get into the legacy profile page which is based on Pug? If we go for the profile page, maybe the alt-attribute could just be the chosen username? That might be fun, because then that field would be usable to two different XSS paths, the name itself and the icon depending on the payload. |
Ah, yes! |
Ok so after playing around with the profile page for a while, here's what I found. Pug automatically escapes all attribute values making attribute breakout impossible by default. Also profile images are currently stored locally as files which rules out CSP injection as well. So as far as I can see right now, there's two ways this challenge can be implemented:
@bkimminich , @J12934 Which alternative do you suggest I proceed with? |
@bkimminich Any opinions on this ^ ? I'm thinking of going ahead with the first one, since we already have a few more low difficulty XSS challenges besides this one, so upgrading it to a higher difficulty won't hurt |
First option sounds better to me too! |
This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs. |
⭐ Challenge idea
<script>
context (with escaping for wrong context, e.g. HTML)Underlying vulnerability/ies
XSS
Expected difficulty
⭐⭐ to ⭐⭐⭐⭐
The text was updated successfully, but these errors were encountered: