Here we have kind of chatting service (very lame one because of the xss bug in it =D)
Let's start our blind inspection:
Input:
<b>Sup?</b>As we can see our HTML tags were rendered by the browser too ! No escaping again >:)
the trivial next input will be
<script>alert("Owned?")</script>But this time it doesn't work (If it was, this level won't teach us nothing we didn't learn from the previous one).
Seems like someone filtered out <script> HTML tags from his chatting service (chatting service requires at most tags for styling such as bold/underline so it's reasonable not to support it)
So ... our trivial injection doesn't work but there are plenty of options to execute javascript on a victim client }:-)
It's a chatting service -- so maybe <img/> is supported. OK, it is. What could be done with that ???
we can define javascript code to be called on events such as onclick, onload, onerror.
- The first option will require the victim to click on the image, therefore requires more than just injection (convince the victim to click on it)
- The second option requires a successful image loading so we will have to supply an image to load ... Nobody Got Time For That !
- The third option requires an unsuccessful image loading. Easy ! let's give bad img src value and the event will be fired :)
<img src='bad_src' onerror="alert('Owned!')"/>
Gotcha!
No comments :
Post a Comment