#XSS

I need to find vulnerabilities on: https://cysec1.jeopardy.websec.saarland/xss/1

But I dont get what to do :(

Have you worked with XSS before?

The input from the text box gets reflected onto the HTML

No

Yes I tried something like <script>alert(1)</script> for task 1 but it didnt work however

You can't interact with <script> tags

For me it looks like this

What html elements can you interact with, and how could you use those to open an alert()?

With <script> ?

Is that a rendered element?

xD hmmm

Oh u used a button?

I did not

Hmm

What other elements are there in HTML?

Other than <script>?

Uhm idk maybe <a>?

How could you make that interactible?

Does onClick work?

It's a reflected XSS :)

Why don't you test that theory out?

I do now :D

What's the end result?

Nice worked! Ok

For task 2 I have to find then something which open alert in css right?

String escaping

Don't try to do XSS before you've inspected what the code does

How the elements are made

I did some magic there to hide the payload I used so you'd have to think about it a bit

Hm is the css relevant? I mean cant I just do the same like in Task 1?

Inspect element is your friend here

Try doing a normal name and color to see what it does

Ohhh it creates a <a> with my given style

Figuring things out?

Yes I got it I think

Color: green" onClick="alert(1)

Does that work?

Yes

Okay task 3 is a bit more difficult

I got maybe an idea

Or not xD. But I know that the result is saved with save() for every input. So I would have to insert the alert somehow for every input, but I don't know how.

Persistency get

Look at what the function is doing

You mean this one?

JS function

Oh ok let me look hmm

It's not too difficult to get the payload working once you figure it out

Did you pick a selection, hit submit, and refresh/reload the page?

Or visit some other site and come back to it?

This one's a good starting point

But the last sentence on that is not necessary

Yes

Did you check the js?

How's the answer stored?

It's a non-sanitized string

Solution?

What's the line handling that?

If (solution) {
localStorage.setItem('the_solution', solution);
}

On the right tracks, how'd you abuse that in your XSS injection using the Free Injection box?

And it's a single line handling the save

Uhm just with setting the solution to alert(1)

Does that work?

And what would the payload look like?

Keep in mind you have to use the Free Injection textbox

No xD

What did you try as a payload?

There's few ways of doing that

I just tried simple solution = alert(1)

Oofff

But thats wrong

Hahahha

What's the line handling the saving of the solution?

With this line or am I wrong?

That's 3 lines

Not 1

LocalStorage ...

LocalStorage.setItem('the_solution', solution);

This

Yup

Oh so maybe

No

What did you attempt?

I thought I can try LocalStorage.setItem('the_solution', alert(1));

Be wary for typos

LocalStorage isn't how that line is in the code

You're gonna need more than just that line

Hmm I dont get it

LocalStorage

vs

localStorage

But, you're gonna need extras to run that

LocalStorage.setItem('the_solution', alert(1))

Capitalization again

wait xD

localStorage.setItem('the_solution', alert(1))

now?

Test it out

no didnt work

it displays still the same answer which I submitted

oh wait hmm thats weird

I tried <script>localStorage.setItem('the_solution', alert(1))</script> now but the alert first is looking like that:

an after pressing on ok the website is loaded

is that normal?

Check the JS again

It's getting the solution in an onload event

Which fires when the page loads

yes

I have to change that then

hmm I cant do anything against that can that be?

You can inject new elements

what is the point if 'the_solution' is always loaded onload anyway?

Fancier injections

And you can get the full site to load before the payload gets triggered

But the task would theoretically already be finished, wouldn't it?

Yup

If you got persistency

Without malicious url

we have, haven't we?