The website was allowing users to register and upon login it was possible to write some text in a text area and save it for future displaying.
Another function available in the web site was the possibility to submit an URL for review by the site administrator (in a sort of whistleblowing-like platform).
Tee objective of the task was to steal the administrator secret textarea content.
By logging off and on again from a different browser, the text area content was preserved, which suggested that this information was saved server side somewhere, but where?
By inspecting the page source code it was possible to spot a file.js which happened to contain the following code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55
A couple of interesting things are happening here:
- before populating the text area it uses some functions to verify that the domain from which the script is included is challs.ctf.site or a subdomain.
How can this be exploited?
But let’s look at the function that actually checks for the subdomain: it uses the function regExp.test().
This function is global and not defined in the js, therefore, what we can do is override it with a prototype in our code and force it to return always true, effectively nullifying the check.
The following code is the exploit i used to grab the secret message (the flag).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
and here is the result
220.127.116.11 - - [14/Sep/2015:23:30:37 +0200] "GET /collect.gif?cookie=EKO%7Bclient_side_security_for_the_lulz%7D