Shibuya.XSS JIZEN GAKUSHU Challenge 2
Pages 22
- Home
- Cure53 Easter Challenge '13
- Cure53 Singapore Training Challenge
- Cure53 X Mas Challenge '13
- ES6 Challenge
- H5SC Mini Challenge 4
- H5SC Mini Challenge 5
- H5SC Minichallenge 3: "Sh*t, it's CSP!"
- H5SC Minichallenge 3: "Sh*t, it's CSP!".
- JSON Hijacking Mini Challenge
- Mini Puzzle 1 on kcal.pw
- Mini Puzzle 2 on kcal.pw
- Older Challenges and Write Ups
- prompt.ml
- Puzzle 1 on kcal.pw
- Puzzle 2 on kcal.pw
- Puzzle 3 on kcal.pw
- S03 XSS Puzzle
- Shibuya.XSS JIZEN GAKUSHU Challenge
- Shibuya.XSS JIZEN GAKUSHU Challenge 2
- XSSMas Challenge 2014
- XSSMas Challenge 2015
- Show 7 more pages…
XSS Challenge Wiki
Prompt.ml
- Prompt.ml The prompt(1) Challenge
Kcal.pw Puzzles
Cure53 Challenges
H5SC Mini-Challenges
Other Challenges
Clone this wiki locally
Shibuya.XSS JIZEN-GAKUSHU Challenge 2
This challenge was posted by Masato Kinugawa in March 2016, accompanying the Shibuya.XSS event in Tokyo.
URLs
- http://shibuya.vulnerabledoma.in/jizen2 (Challenge Website)
- http://shibuyaxss.connpass.com/event/28232/ (Event Website)
- https://speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-7 (Slides by Masato)
Solution
The following solution was submitted by @0x6D6172696F and @filedescriptor:
<!-- Works on MSIE 11 -->
<meta http-equiv="X-UA-Compatible" content="IE=9">
<object type="text/html" data="mhtml:http://shibuya.vulnerabledoma.in/javascript:alert(1)@if(0)%2f..%2fjizen2?@end#foobar!"></object>
<embed type="text/html" src="mhtml:http://shibuya.vulnerabledoma.in/javascript:alert(1)@if(0)%2f..%2fjizen2?@end#foobar!"></embed>Note, that this solution only works when loaded from a EML page - not a HTML website. Masato's model solution shown below is a bit more flexible.
The model solution created by Masato Kinugawa:
http://l0.cm/shibuya/jizen2.html
<meta http-equiv="X-UA-Compatible" content="IE=9">
<embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/%2F..%2F..%2Fjizen2#hash"></embed>Why does that work?
There is several reasons why this works, and several tricks being used to attack the seemingly secure page:
- The page is being embedded by an external page, that itself is using MSIE document mode 9
- By doing so, not only the embedding page runs in IE9 mode, the embedded one does as well!
- The page is being loaded via an
embed/objectelement. This will have an interesting effect on MSIE!- In this constellation, IE9 mode and embedded by an
embedorobject, the propertylocation.pathnamewill not be prefixed by a slash! That opens the door for an attack.
- In this constellation, IE9 mode and embedded by an
- Now, in addition to that, the server configuration of the challenge page allows to use encoded slashes, see the Apache docs about the setting called
AllowEncodedSlashes: https://httpd.apache.org/docs/2.4/mod/core.html#AllowEncodedSlashes- This allows the attacker to infect the path with a hidden JavaScript URI
Combining those tricks, MSIE9 document mode 9, embedding the challenge page to get a location.pathname without slash and in addition the abuse or Apache's AllowEncodedSlahses sets all conditions necessary for the alert to pop.
Challenge solved :)