Hows it going bros? Today we are gonna play the XSS challenge by leettime.net.
It consists of 8 different challenges where need to pop-up the URL of the webpage by doing alert(document.URL). The layout of challenge page stays the same throughout the challenge
We will be using d3v as the basic probe throughout the challenge. So without wasting any more time, lets go!
Lets enter d3v in the search box and observe the source code
<center>cannot find d3v</center>
So the input is landing in HTML context. In the this case, we can just do this:
Lets see if works or not.
It does! Hey wait, I don’t think it would be a good idea to add this image after every solution, so we will skip it.
In the next challenge, the input gets reflected as follow:
So it got reflected as a value of an attribute without any quotes around it. The simplest way to break out of this will be using a > to close the current tag and the complete payload will be:
This is similar to the previous one, the only difference is that this time the value is within double quotes
To close the value and break out of the tag, we will use “> and the complete payload will be:
Okay this is getting boring now. This time the value is within single quotes and hence the payload will be:
Phewww! Finally something different. This time its landing as a variable value inside a script block as follows:
In this case we will be using the following payload:
Lets break it down to understand how it works
- “ declares the end of the value
- The previous line has ended and we are free to add our own code so lets inject alert(document.URL). Wait what? Why document.URL and not just URL like previous cases? Because this time we are in a script block and to access the DOM we must use the document property.
- ; will end the line
- “ will be paired with the another “ in source to keep the syntax valid
On putting it together, it looks like this:
It looks beautiful, doesn’t it?
Oh boy! This is not how you create challenges. This challenge is same as the previous one, the only difference is that this time the variable value is contained within single quotes (‘) and hence the payload will be:
Here’s the reflection
We have done this before, lets close the value and the tag by adding ‘> and the payload will be
Oopps! It didn’t work!
Lets take a look at the source code for clues
<input type="text" name="name" value=''<svg onload=alert(URL)'></input>
Hmmm so the > is getting filtered so we can’t break out of the tag but we can break out of the value and try injecting an event handler. We will use the following payload:
It works and before we break it down, lets see how it gets reflected
<input type="text" name="name" value=''autofocus onfocus='alert(URL)'></input>
Now lets break it down
- ‘ declares the end of the value
- autofocus is used to automatically focus on an element
- onfocus is an event handler which gets triggered when we focus on an element containing onfocus
- the ‘ declares the start of the value of onfocus
Here’s the reflection
Yes I know its as same as the previous one but in this one single quotes (‘) are getting filtered and hence we can’t break out of it.
So whats the catch? Well the resulting URL after the search is
So the thing is that the value of the submit parameter is also getting reflected. The reflection is
<input type="text" name="name" value='d3v'></input> <input type="submit" name="submit" value="search">
So lets inject our payload in the submit parameter and the payload we are going to inject will be
annnnddd that’s it! We completed the challenge