CTF#2 Level 1

Url: http://ctf.infosecinstitute.com/ctf2/exercises/ex1.php

Description: People want you to store your favorite links here. However, you are not into that, you just want to do some XSS magic to the page. Add an alert with the message ‘Ex1’ to the page (My Sites:)

Vulnerability: A3 Cross-Site Scripting (XSS)

Solution:
This level one have XSS vulnerability, according to OWASP, Cross-site Scripting (XSS) is a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

level1

Ex1

Ok let’s try input <script>alert(‘Ex1’)</script> in Site Name form, and then http://shellnux.in Site URL form then press Add Link button, I get error message “Please match the requested format.“. It seem not working, let’s view the source code (right click on the page and then choose “View page source” (I’m using Mozilla Firefox)) I find a line that contain requirement pattern that I must input in the Site Name form

<label> Site Name
   <input type="text" placeholder="Name of site" maxsize="10" class="form-control" pattern="[A-Za-z]+" required name="name"/>
</label>

I have to remove “pattern” in the source if I want to input a malicious script in the Site Name form. The easy way to do this is to install Add-on in Firefox, it’s called firebug, just open the link and press Add to Firefox button. After finish installed, back to Ex1 page then right click on the Site Name form and choose “Inspect Element with Firebug

remove-patternClick on the pattern then press del, now I input <script> above, and the result will be shown in left upper, still not working, look for the source code further, found the line:

 <script src="../js/ex1.js" type="text/javascript"></script>

Just click the ex1.js link, and check this code in the ex1.js source code

$("form.ex1").submit(function(evt) {
    evt.preventDefault();
    var siteName = $(".ex1 input[type='text']").val().trim().replace(/</g, "&lt;").replace(/>/g, "&gt;");
    var siteURL = $(".ex1 input[type='url']").val().trim().replace(/</g, "&lt;").replace(/>/g, "&gt;")

This is why that not work because everytime I input “<” the code will convert it to “&lt;” so with the “>“, that’s why in the hint given above I have to bypass this validation. Back to firebug, in the script tab look for *.js or beside all drop down button then choose ex1.js, see screenshot below

debug-js1
Add a breakpoint by click on the input validation line Site URL fill the Site Name form and Site URL then execute, in right pane bottom there a value siteName, change the value with XSS script <script>alert(‘Ex1’)</script> then press continue button or F8, boom I pass the level 1.

run-debug
ex1

Reference and Tools:
1. Website Hacking Part IV: Tips for Better Website Security – http://resources.infosecinstitute.com/website-hacking-part-iv-tips-better-website-security/
2. OWASP XSS – https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
3. Firebug Mozilla Add-on – https://addons.mozilla.org/en-us/firefox/addon/firebug/

0 comments