Category: Web
Difficulty: Hard
Author: Staubfinger
I made an Xmas Shop! If you run into any problems, just submit a link on the submit page - and i will check it for you.
Check it out at: http://xss.allesctf.net/
On xss.allesctf.net
is website.
With two stages...
Stage1:
Stage2:
On the second stage is the flag on the website. To get the real flag we have to find a XSS
vulnerability and attack the admin. To do this there is a Submit
page in the first stage.
Here we can submit a URL and the admin will visit it.
Let's try to XSS ourself first.
The website has a search filed at the top right, those are often vulnerable to simple XSS attacks:
In the Inspector
we can see that the input is reflected and try to inject simple script:
The script element is reflected inside the website, but there is no popup. The console tells us why:
The Content Security Policy
is a header that tells the browser which content is allowed. There are many rules and the CSP evaluator
link can be used to parse them.
Here is the header from the response:
Content-Security-Policy: default-src 'self' http://*.xss.allesctf.net; object-src 'none'; base-uri 'none';
And the output of the evaluator: