Lawful Evil (lawful_evil) wrote,
Lawful Evil

  • Mood:

Delving into XSS

I started poking at cross site scripting, XSS, and found this benign one. The idea is to make it run code that you pick. You can basically craft a url that it uses and runs code, so you could take over page formatting and make it force a log-in and send the creds to another URL.

You can roll dice, like for play-by-post games.

You can name each roll and provide notes. Then you can lookup the roll by number and your data is saved in the database. There may be SQL injections here... but I'm simply poking at the XSS part. User input data isn't scrubbed enough on name input and on the landing page, name because a link.

So, if we make the name of the roll :

When you lookup the roll and mouse over the link, it runs our script to display an alert of "1". Here is a saved roll showing it working.

I basically looked at the generated source and figure out what I had to type to alter the HTML/DOM to have my code in there.

I had to change this :
<a href="">NAME</a>

Into this :
<a href="">f"onmouseover="alert(1)</a>

The idea was provide a short name, f, in this case, then a quote and then set a new attribute on the link, the mouse over scripting. It inserts a "> at the end of the name, so I leave the final end quote off of "alert(1)". I thought I needed the space between " and onmouseover but it turns out you don't and the browser inserts it for you, thanks Chrome.
Tags: xss example

  • HackerOne CTF- Thermostat

    I wasn't sure what to expect with this one. The Thermostat. Android CTF... I didn't have a readily accessible android device... so initially…

  • HackerOne CTF Petshop Pro

    Easy and straightforward shopping. A couple items you can add to a cart and checkout. Playing with the cart a bit, we see that the cart/checkout…

  • HackerOne CTF Postbook

    Postbook... 7 flags at 4 points each. The page looks like it can have a post timeline for posts you create, a way to sign in, sign up, etc. After…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.