Back in June 10, 2016, I published an XSS challenge on hack.me platform I called Small Youtube XSS . If you are here just for solution and not interested in write-up, here’s a link Here.
Keep reading if you are the rules and hints.
In this XSS challenge, you need to use many tricks to create a working vector, It is not that hard, but not so easy as well.
- No user interaction allowed.
- Use only modern browsers (IE11, FF49 … etc.)
- We need to see alert box with domain name.
- Use (?xss=) as inject.
- Try to find missing or weak “things” in HTTP header and HTML source.
- Have you ever been told that you are too short for join to basketball team? Now you are too long to XSS this.
- Watch the video for motivation “https://www.youtube.com/watch?v=hzBCI13rJmA” .
If you solve it, please contact me (a.hussam[at]isecur1ty.org), and enjoy!
The challenge has been running for months now, and there are only 2 solvers yet, it has been started over a 1100 times. So here is the solution.
I deleted the source code a long time ago, so I’ll try to guess or remember what I wrote before. I made this challenge based on the multi-steps filters that do filtering in serial steps.
- First, it replaces words like eval, setIntraval, and setTimeout with (xss-event).
- Second, it remove script word (key of solution).
- Third, it will replace event handler attributes with (xss-event) . (except 2 of them)
- Htmlentities is enabled on the xss parameter so less, greater than, and double quotation are useless.
<video width="450" height="400" controls name=injection_here> <source src="http://www.google.com/test.mp4" type="video/mp4"> Your browser does not support the video tag. </video>
Our injection point is at the
video tags, here’s the even handler for video tags HTML5 Video Events and API.
You will find them all has been filtered except for two of them aren’t!
onratechange , and
onratechange requires user interaction so we excluded it.
The domain is filtered, so we will have to use the script remove trick.
<?php $_GET['xss'] = substr( $_GET['xss'], 0, 26) ; ?>
We should use another method to alert
document.domain since the regular payload is too long. We should use
eval(). eval will make our string work as JS code but where we could put a string, we can make it using
eval is filtered but we need to use the script trick again, so it will be
evscriptal(name). The all in one will be:
And here we are:
there are multiple ways to give a name to a window like window.open or name in iframe tag which I allowed to be framed, but I made a frame busting in the page that can be bypassed easily.
- Adam Simuntis (adam.simuntis[at]secforce.com) with nice and expected solution.
- Lucas Philippe (Bug in my code which is fixed).
I hope you enjoyed the write-up and the challenge, see you soon with another one.
For questions or inquiries, contact me on my twitter account @Abdulahhusam.