Video subs challenge #891
Video subs challenge #891
Conversation
|
How about we don't add an upload button for the subtitles, but instead put them somewhere on the backend side where they can be overwritten with the same attack used for Arbitrary File Write? |
|
Yep that I believe would be a better idea. Uploading of subs looks a bit unrealistic too 😅 . |
supra08
force-pushed
the
videoSubsChallenge
branch
from
62c3029
to
2b76d1c
Compare
|
@bkimminich, I've made the subs to load from a file in |
|
One of the failing tests was on me when I did some refactoring, should be fixed with next build. Can you put the subs into some folder that is not in |
supra08
force-pushed
the
videoSubsChallenge
branch
from
6856611
to
bf58308
Compare
|
Now shifted the subs file to the dist directory in the assets folder, because normally a website would maintain it this way. But now I guess, the user must be given more hints for locating the subs file as it has now become very tough to even guess the location. Sorry for the delay, got some chromedriver related problems that took time. |
routes/videoHandler.js
Outdated
| const challenges = require('../data/datacache').challenges | ||
| const utils = require('../lib/utils') | ||
|
|
||
| const themes = { |
There was a problem hiding this comment.
This should be pulled out of userProfile.js and be reused by both Jade pages in order to avoid code duplication.
There was a problem hiding this comment.
So should I put this into the data directory in a new file themes.js? @bkimminich
There was a problem hiding this comment.
I'd probably put it into /views because it's only for the Jade screens.
|
I'm really sorry for the delay. This just slipped out. I've made the changes. Please do tell if more modifications are requires. @bkimminich, @J12934 |
…el (juice-shop#891) * Closes juice-shop#876 * Fixes overflowing admin panel content by adding the `.text-break` CSS class. * This is .text-break cloned from Bootstrap 4.3 with a fix for browsers not supporting break-word. It will be removed from the main CTFd classes when Bootstrap is upgraded internally.
|
This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs. |
In this PR I've added the video subtitles challenge. I had to use jade as the template because the real scenario is understood by seeing the
<script>of the rendered html. The basic flow is as follows:/promotionroute. (Possibility of implementing the easter egg here!)upload subtitleform to perform the xss.<script>alert('xss')</script>to successfully solve the challenge.Now, here the catch is, simply entering
<script>alert('xss')</script>won't work here. The subs are rendered in a special<script type=text/vtt>tag. This practice is found in a few websites to evade cross origin policies. An ideal infected subs file would contain:</script>tag to escape the original<script type=text/vtt>.<script>alert('xss')</script>So the attacker needs to inspect the js of the page first to observe what's going on.
TODO:
Upload SubstoUpload Correct Subsand a fake review system to finally upload them.Your views on this, @bkimminich , @J12934 , @CaptainFreak