Skip to content
This repository has been archived by the owner on Jul 4, 2023. It is now read-only.

Mini Puzzle 1 on kcal.pw

cure53 edited this page Oct 15, 2014 · 3 revisions

Intro

Not only did @avlidienbrunn sponser his neat trick, but he also suggested to add some XSS Jigsaw stuff to make the challenge less boring. As mentioned before, the trick is extremely useful as it can trigger a vector without user interaction. By the way, if you get other neat tricks and don't bother to host a challenge yourself, you are always welcome to ping me (@filedescriptor) for that :)

Setup

It really took us some efforts to setup the challenge so that the it contains hints yet looks natural. Too bad it turned out the hints were too obvious though :(

  • hints

tabindex, anchor(fragment id)

  • style before the injection point

No expressions allowed

  • filtering < and >

Prevents escaping from tag-attribute context

Solution

Besides the onresize trick that only works in IE10, there are two generic ways that work under latest IE and Chrome. The first one, as expected, is the combination of tabindex and anchor. First, tabindex can make an element focusable, which then allows focus event attached on the element. Second, it can be noticed that in Chrome and IE an anchor will have focus on the element once the page is loaded. So bam, no user interactions required. Likewise, contenteditable behaves similarly as it also enables an element to be focusable.

Submission

There are too many submissions so I just pick some examples.

http://kcal.pw/mini-puzzle.php?xss=%22onresize=%22alert(1)

http://kcal.pw/mini-puzzle.php?xss=a%22contenteditable%20onfocus=%22alert(1)#a

http://kcal.pw/mini-puzzle.php?xss=a%22tabindex=9%20onfocus=%22alert(1)#a