-
-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Video subs challenge #891
Video subs challenge #891
Conversation
How about we don't add an upload button for the subtitles, but instead put them somewhere on the backend side where they can be overwritten with the same attack used for Arbitrary File Write? |
Yep that I believe would be a better idea. Uploading of subs looks a bit unrealistic too 😅 . |
62c3029
to
2b76d1c
Compare
@bkimminich, I've made the subs to load from a file in |
One of the failing tests was on me when I did some refactoring, should be fixed with next build. Can you put the subs into some folder that is not in |
6856611
to
bf58308
Compare
Now shifted the subs file to the dist directory in the assets folder, because normally a website would maintain it this way. But now I guess, the user must be given more hints for locating the subs file as it has now become very tough to even guess the location. Sorry for the delay, got some chromedriver related problems that took time. |
routes/videoHandler.js
Outdated
const challenges = require('../data/datacache').challenges | ||
const utils = require('../lib/utils') | ||
|
||
const themes = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be pulled out of userProfile.js
and be reused by both Jade pages in order to avoid code duplication.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So should I put this into the data
directory in a new file themes.js
? @bkimminich
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd probably put it into /views
because it's only for the Jade screens.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright 👍
I'm really sorry for the delay. This just slipped out. I've made the changes. Please do tell if more modifications are requires. @bkimminich, @J12934 |
…el (juice-shop#891) * Closes juice-shop#876 * Fixes overflowing admin panel content by adding the `.text-break` CSS class. * This is .text-break cloned from Bootstrap 4.3 with a fix for browsers not supporting break-word. It will be removed from the main CTFd classes when Bootstrap is upgraded internally.
This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs. |
In this PR I've added the video subtitles challenge. I had to use jade as the template because the real scenario is understood by seeing the
<script>
of the rendered html. The basic flow is as follows:/promotion
route. (Possibility of implementing the easter egg here!)upload subtitle
form to perform the xss.<script>alert('xss')</script>
to successfully solve the challenge.Now, here the catch is, simply entering
<script>alert('xss')</script>
won't work here. The subs are rendered in a special<script type=text/vtt>
tag. This practice is found in a few websites to evade cross origin policies. An ideal infected subs file would contain:</script>
tag to escape the original<script type=text/vtt>
.<script>alert('xss')</script>
So the attacker needs to inspect the js of the page first to observe what's going on.
TODO:
Upload Subs
toUpload Correct Subs
and a fake review system to finally upload them.Your views on this, @bkimminich , @J12934 , @CaptainFreak