tom/darkly
1
0
Fork 0
mirror of https://github.com/tmoron/darkly.git synced 2025-09-27 20:58:35 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
e6fa02f7359967eafd53b951dfb0cfe77d1f746c
darkly/XSS_bypass_encoding/README.md
Yavin Contre d617047925 + | More flags
2025-04-09 16:19:48 +02:00

37 lines
1.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# XSS Vulnerability in the Clickable Image
## How We Found It
On the homepage, we noticed a clickable image that led to a strange page at:
`http://10.11.248.192/?page=media&src=nsa`
At first, we suspected several issues, but then we saw our input was being injected inside an object's `data` attribute.
We tried a simple `javascript:alert(1)` payload, but it was blocked by JavaScript sanitization. Next, we exploited the unsanitized `data:text/html` scheme by injecting HTML directly for example, using:
```html
data:text/html,<h1>salut</h1>
```
Finally, we went for a more sophisticated payload:
```html
data:text/html,<script>alert("XSS");</script>
```
This worked and showed an alert but didnt trigger the flag system. We then encoded the script payload in base64 to bypass a sort of hardcoded "script" detection:
```html
data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
```
Since the `+` character was being replaced by a space during URL encoding, we encoded the entire payload, resulting in:
```html
data%3Atext%2Fhtml%3Bbase64%2CPHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ%2BCg%3D%3D
```
This final payload delivered the flag.
## Utility of It
XSS vulnerabilities can be extremely dangerous in real-world scenarios. They allow attackers to inject and execute arbitrary HTML or JavaScript in the browsers of other users. This can lead to session hijacking, defacement, or even full account takeover, making them a critical issue in web security.
## How Can We Patch It
To fix this vulnerability, ensure that all user inputs injected into the page are properly sanitized and encoded, especially when used in sensitive attributes like `data`. Using Content Security Policy (CSP) headers can also help mitigate the impact of any XSS attacks that slip through.
Reference in New Issue View Git Blame Copy Permalink