Xmas Shopping Site - localo

Category: Web
Difficulty: Hard
Author: Staubfinger

Description

I made an Xmas Shop! If you run into any problems, just submit a link on the submit page - and i will check it for you.

Check it out at: http://xss.allesctf.net/

Summery

On xss.allesctf.net is website.
With two stages...
Stage1:

Stage2:

On the second stage is the flag on the website. To get the real flag we have to find a XSS vulnerability and attack the admin. To do this there is a Submit page in the first stage.

Here we can submit a URL and the admin will visit it.

Solution

Let's try to XSS ourself first.
The website has a search filed at the top right, those are often vulnerable to simple XSS attacks:

In the Inspector we can see that the input is reflected and try to inject simple script:

The script element is reflected inside the website, but there is no popup. The console tells us why:

CSP

The Content Security Policy is a header that tells the browser which content is allowed. There are many rules and the CSP evaluator link can be used to parse them.
Here is the header from the response:

Content-Security-Policy: default-src 'self' http://*.xss.allesctf.net; object-src 'none'; base-uri 'none';

And the output of the evaluator: