-
Notifications
You must be signed in to change notification settings - Fork 221
Mini Puzzle 1 on kcal.pw
Not only did @avlidienbrunn sponser his neat trick, but he also suggested to add some XSS Jigsaw stuff to make the challenge less boring. As mentioned before, the trick is extremely useful as it can trigger a vector without user interaction. By the way, if you get other neat tricks and don't bother to host a challenge yourself, you are always welcome to ping me (@filedescriptor) for that :)
It really took us some efforts to setup the challenge so that the it contains hints yet looks natural. Too bad it turned out the hints were too obvious though :(
- hints
tabindex, anchor(fragment id)
- style before the injection point
No expressions allowed
- filtering < and >
Prevents escaping from tag-attribute context
Besides the onresize trick that only works in IE10, there are two generic ways that work under latest IE and Chrome. The first one, as expected, is the combination of tabindex and anchor. First, tabindex can make an element focusable, which then allows focus event attached on the element. Second, it can be noticed that in Chrome and IE an anchor will have focus on the element once the page is loaded. So bam, no user interactions required. Likewise, contenteditable behaves similarly as it also enables an element to be focusable.
There are too many submissions so I just pick some examples.
http://kcal.pw/mini-puzzle.php?xss=%22onresize=%22alert(1)
http://kcal.pw/mini-puzzle.php?xss=a%22contenteditable%20onfocus=%22alert(1)#a
http://kcal.pw/mini-puzzle.php?xss=a%22tabindex=9%20onfocus=%22alert(1)#a