Shibuya.XSS JIZEN GAKUSHU Challenge
Cure53 edited this page Mar 30, 2016
·
5 revisions
Pages 22
- Home
- Cure53 Easter Challenge '13
- Cure53 Singapore Training Challenge
- Cure53 X Mas Challenge '13
- ES6 Challenge
- H5SC Mini Challenge 4
- H5SC Mini Challenge 5
- H5SC Minichallenge 3: "Sh*t, it's CSP!"
- H5SC Minichallenge 3: "Sh*t, it's CSP!".
- JSON Hijacking Mini Challenge
- Mini Puzzle 1 on kcal.pw
- Mini Puzzle 2 on kcal.pw
- Older Challenges and Write Ups
- prompt.ml
- Puzzle 1 on kcal.pw
- Puzzle 2 on kcal.pw
- Puzzle 3 on kcal.pw
- S03 XSS Puzzle
- Shibuya.XSS JIZEN GAKUSHU Challenge
- Shibuya.XSS JIZEN GAKUSHU Challenge 2
- XSSMas Challenge 2014
- XSSMas Challenge 2015
- Show 7 more pages…
XSS Challenge Wiki
Prompt.ml
- Prompt.ml The prompt(1) Challenge
Kcal.pw Puzzles
Cure53 Challenges
H5SC Mini-Challenges
Other Challenges
Clone this wiki locally
Shibuya.XSS JIZEN-GAKUSHU Challenge
This challenge was posted by Masato Kinugawa in March 2016, accompanying the Shibuya.XSS event in Tokyo.
URLs
- http://shibuya.vulnerabledoma.in/jizen (Challenge Website)
- http://shibuyaxss.connpass.com/event/28232/ (Event Website)
- https://speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-7 (Slides by Masato)
Solution
The model solution created by Masato Kinugawa:
Note: You have to use unencoded characters instead of %22 and %3c, copy&paste might break the PoC. You can also click here to play with the PoC: http://is.gd/6KL7sV
Tested and confirmed on MSIE11 and Edge (!).
Why does that work?
There is several reasons why this works, and several tricks being used to attack the seemingly secure page:
- First of all, jQuery mobile performs a navigation that is supported by the use of
history.pushState()- Check out the jQuery Mobile docs about
hashListeningEnabledandpushStateEnabled: http://demos.jquerymobile.com/1.0/docs/api/globalconfig.html
- Check out the jQuery Mobile docs about
- This is not a bug in itself, but combined with the existing JavaScript on the page, it becomes a vulnerability
- As can be seen, on the website, a "tracking image" is built, using
location.pathname - Combining
history.pushState()with amhtml:protocol handler allows to inject unencoded payload into thelocation.pathnameproperty - So, first the jQuery mobile framework "navigates" to the new URL, then the now infected
location.pathnameproperty will be used to create a HTML element - Given the lack of encoding, we can now break the HTML string and create an active element. Aaaand, XSS.
Challenge solved :)