Cross Site Scripting CTF
What is a Cross Site Scripting Attack ?
A Cross Site Scripting attack (Also known as XSS) is a malicious code injection, which will be executed in the victim’s browser. There is a possibility that the malicious script can be saved on the web server and executed every time when the user calls the appropriate functionality.
An XSS attack is usually performed on the client side. It can be performed with different client-side programming languages but is mostly performed with JavaScript and HTML. I will demonstrate how an attacker can perform an XSS attack by attempting Hyperion Gray’s How To Hack and Defend Your Website CTF exercises. I urge you to try the exercises on your own and only use this article as a guide if you’re stuck and need help.
CTF Walk-through.
Exercise One.
In order to complete the first exercise, we need to enter the correct password. To look for clues on what the password could be, we go ahead and view the page source.
As seen on the screenshot above, we notice suspicious URL encoded characters at the bottom of the page source.
We go ahead and decode the URL encoded characters. To be able to decode the URL encoding on Ubuntu Linux we first have to install gridsite-clients.
Simply run: sudo apt-get install gridsite-clients
Once installed, we can successfully use the urlencode
command in the terminal to decode the URL encoded characters as shown below.
We get - “ The password is 42d388f8b1db997faaf7dab487f11290
— or is it?”
We go back to our page source and we quickly realize that the password cannot have more than 10 characters.
With this realization, we suspect that the real password has been hashed.
Hashing a password is simply generating a value or values from a string of text(in this case our password) using a mathematical function. We will crack 42d388f8b1db997faaf7dab487f11290
using CrackStation — Free Password Hash Cracker.
As shown above, we see that our password blahblah
was initially hashed using an md5 hash function. Once we enter the password, it redirects us to Exercise two.
Exercise Two
Just like we did in exercise 1, we view the page source for clues.
We notice the URL encoded characters at the bottom and we decode it to see if there is any useful information.
We get — “ Nope! This one isn’t going to be that easy!”
We switch our attention to the String.fromCharCode()
method. The String.fromCharCode()
usually returns a string created from the specified sequence of UTF-16 code units.
I have to add that this method above returns a string and not a string
object. This is because fromCharCode()
is a static method of string.
In simple terms, it’s used as String.fromCharCode()
(as shown above), rather than as a method of a string
object created.
To get the corresponding string (to be returned) from String.fromCharCode(num1[,..[, numN]])
, we will use an online tool, convert town to convert ASCII to text.
Upon a closer look, we notice that this is the link for the next exercise and we have successfully unlocked the next exercise.
Exercise 3
From the hint shown in the exercise, we have to debug to complete the exercise. After interacting with the page as a whole we realize that the radio button has been disabled.
We confirm this by inspecting element.
To complete this exercise, we check the radio button by adding the checked
HTML attribute to the <input>
element.
The moment we do this, we immediately realize that the radio button has been checked.
We can therefore click on submit to show password.
Like in exercise 2, this password is a URL and this is what we get when we visit it.
That marks the end of the CTF challenge.
Resources
In case you have a website that you want to protect from Cross Site Scripting view this Cheat Sheet Series on XSS prevention by OWASP on GitHub.
To learn more about XSS, you can check out OWASP’s comprehensive article here