XSS all over the place!
I recently made the decision to sign up for HackerOne / Hacker101. Not for the bug bounty piece (at least not yet), but for their educational material, training, and CTFs.
As always, I learn more when I take notes…and if I take notes…I might as well turn them into a writeup. So here we go!
Side note: I’m skipping the first CTF writeup, the flag was in the page response…so there’s nothing really to write about with that one.
First Flag
When the page loads, we are greeted with three links, Testing, Markdown Test, and Create a new page.
Let’s load this up in Burp and take a look at what the page sends us when we click around.
Each page proves you with an option to edit, and then obviously there is an option to create a new page. When clicking “Edit this page” we are presented with a box that appears to only accept Markdown.
I created a new “test” button just to see what would happen, and (with intercept on in Burp) I clicked “Save.”
Hmmm.
The edits were reflected in the response, so….reflected XSS? I’d say that is what we are dealing with.
The boxes that let you use Markdown to edit the body of the page seem to be sanitized though.
However, that doesn’t mean the title of the page is.
Let’s try a simple script in the and see what happens:
<script>alert(1)</script>
Click “Save” annnd….there’s the flag! (If it doesn’t show up at first, refresh the page or try to navigate back one page).
Now, there are four total flags on this challenge. So let’s see what else we can find.
Second Flag
I decided to throw the link into ZAP and see what I can gather just by poking around.
One of the responses that came back from the page showed this
Page 2, the page we edited, shows the flag now. Page 7 was a page that I created…what else am I looking at?
All the pages load, and it doesn’t look like I’ve missed any hidden pages or anything. ZAP seems to have done some damage though…
It looks like the page numbers show up after “edit” in the URL when editing a page. Let’s see if any of these give us something interesting.
Aha! page 4! (I ended up just cycling through page numbers from 1–7 to find this…it may work on other pages though).
Third Flag
As I mentioned earlier, the boxes say “Markdown is supported, but scripts are not.”
I feel like there is a way around this though…
I tried using a markdown link at first but that was a dead end as it just added the script to the end of the URL after scrubbing it. There are buttons everywhere in the markdown examples provided though, so let’s try a button:
<button onclick=’<script>alert(1)</script>’>XSS</button>
Scrubbed! but…wait… there’s a flag in the response! Woohoo!
Fourth Flag
The only piece we really haven’t touched in this challenge is the URL.
So, after toying around with random scripts and etc. in the URL and realizing none of that was going to work, I did some further research on XSS, JavaScript escape characters, URL based XSS, and oh…trailing quotes!
Turns out, when there is a trailing quote in a string, it can cause the rest of the string to become active code….
Like so,
From here, everything after the r in “user” becomes active script because of the apostrophe in “user’s.”
Let’s throw a trailing quote on the end of this URL and see what happens:
And there we have it, the last flag!
