As always we start with behavioral analysis. Lets give some number to the timer. Oh, we redirected to another page with a waiting message:
"Your timer will execute in <timer> seconds."
<timer> is the value we passed in the previous page. The first page contains a form which generates a HTTP GET request with the parameter 'timer' to timer.html (the actual HTTP GET request is to index.html but the webserver redirect it to timer.html if a 'timer' parameter was added)
OK, cool. Instead of giving a numerical value lets inject some html tag >:)
<b>XSS?</b>=O It was sanitized! Meaning the real fun begins :D
lets inspect timer.html page:
<script>
function startTimer(seconds) {
seconds = parseInt(seconds) || 3;
setTimeout(function() {
window.confirm("Time is up!");
window.history.back();
}, seconds * 1000);
}
</script>
</head>
<body id="level4">
<img src="/static/logos/level4.png" />
<br>
<img src="/static/loading.gif" onload="startTimer('<timer_value>');" />
<br>
<div id="message">Your timer will execute in {{ timer }} seconds.</div>
we will try to inject our code to:
onload="startTimer('<timer_value>');"
This is strategic place because this code is executed on page load.For injecting without any annoying popups, lets start our injected timer value with 100000000.
The timer won't be triggered soon, we have time to work without interrupts :)
timer=100000000
first, we want to escape from the '...' context. Lets inject timer=100000000%27 (%27 represents ' in hex-encoded ascii).
We get Uncaught SyntaxError: Unexpected token ILLEGAL In Chrome console. It seems that now we broke something - the ' we injected messed up the timer value warpping.
Lets continue with calling to alert.
we want something like this: startTimer('1');alert('Owned!');
timer written hex-encoded: timer=1%27%29%3Balert%28%27Owned!
Notice we didn't inject the closing ') for the alert because it already was there.
We changed the time value to 1 to avoid waiting forever for the timer to fire up.
Owned !
No comments :
Post a Comment