Tag: XSS

A tale of HTML Injection to Account takedown at Exercism.org

# About Exercism

Exercism is an online platform that helps people upskill their programming skills through practice and mentoring. They are an open-source organization with over 200 GitHub repositories, thousands of contributors, and a friendly, inclusive community.

I came to know about the platform in 2018 when my mentor - Vipin Pavithran asked me to improve my coding skills by practicing on Exercism.

Exercism is an amazing platform to learn to code. It has got an amazing set of challenges and a huge variety of learning tracks.

November 5, 2022

/2022/11/05/A-tale-of-HTML-Injection-to-Account-takedown-at-Exercism.org/ Yadhu Krishna M

Web Exploitation

NarutoKeeper - Securinets CTF Quals 2022

tl;dr

Create a note with meta redirect tag to get callback.
Leak the flag using search functionality.

April 14, 2022

/2022/04/14/NarutoKeeper-Securinets-CTF-Quals-2022/ ma1f0y

Shisui - Fword CTF 2021 Write-up

tl;dr

XSS using DOM Clobbering
<a id="showInfos"></a><a id="SETTINGS" name=check data-timezone="aaa" data-location="eval(window.name)"><a id="SETTINGS" name="x">
Bypass CSRF protection to execute XSS and read flag.

August 30, 2021

/2021/08/30/Shisui-Fword-CTF-2021-Write-up/ Yadhu Krishna M

Web Exploitation

InCTF Internationals 2021 - MD-Notes Write-up

tl;dr

Leak admin’s hash using wildcard target origin in postMessage or by calculating sha256('').
Create an XSS payload to read /api/flag and send it to attacker server.

August 15, 2021

/2021/08/15/InCTF-Internationals-2021-MD-Notes-Write-up/ Yadhu Krishna M

Web Exploitation

Exploiting Client-side Prototype Pollution - arg.js

First of all, a big shoutout to the challenge author. All the challenges in this set are available here.

## Analysis

Going through the challenge source, we can see that two JavaScript files are imported.

1
2
    <script src="https://raw.githack.com/stretchr/arg.js/master/dist/arg-1.4.js"></script>
    <script src="js/main.js"></script>

arg-1.4.js is a popular library for parsing URL parameters. And main.js has the following content.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
let data = {
    small: "Hi, there!",
    big: "Hello, world!"
}

const vuln = document.querySelector("#vuln");
let queryStrings = window.location.search;
let params = new URLSearchParams(queryStrings);

let vulnParams = () => {
    let fragments = Arg.parse(location.hash.substr(1));
    if(data[params.get("type")] !== undefined) vuln.innerHTML = "<h2>"+data[params.get("type")]+"</h2";
    else vuln.innerHTML = "<h2>This region seems like something you need to look at.</h2>";
}

window.onhashchange = () => {
    vulnParams();
}

vulnParams();

We can see that main.js uses Arg library to parse location.hash and uses URLSearchParams to parse query strings.

June 22, 2021

/2021/06/22/Exploiting-Client-side-Prototype-Pollution-arg.js/ Yadhu Krishna M

Web Exploitation

to old posts