DOJO Challenge #23 Winners!

May 15, 2023

The #23th DOJO CHALLENGE, 5Ways2XSS aims to exploit five different input sections that are all vulnerable to an Cross Site Scripting (XSS). To solve the challenge, only a single payload should be used that can exploit all input sections.

💡 You want to create your own DOJO and publish it? Send us a message on Twitter!

WINNERS!

We are glad to announce the #23 DOJO Challenge winners list.

3 BEST WRITE-UP REPORTS

  • The best write-ups reports were submitted by: Perce, Aku and YouKnowNothing! Congrats 🥳

The swag is on its way! 🎁

Subscribe to our Twitter and/or Linkedin feeds to be notified of the upcoming challenges.

Read on to find the best write-up as well as the challenge author’s recommendations.

The challenge

5Ways2XSS

See the challenge page >

We asked you to produce a qualified write-up report explaining the logic allowing such exploitation. This write-up serves two purposes:

  • Ensure no copy-paste would occur.
  • Determine the contestant ability to properly describe a vulnerability and its vectors inside a professionally redacted report. This capacity gives us invaluable hints on your own, unique, talent as a bug hunter.

BEST WRITE-UP REPORT

We would like to thank everyone who participated. The #23 DOJO challenge provided us with a large amount of high quality reports and everyone did a great job!

We had to make a selection of the best ones. These challenges allow to see that there are almost as many different solutions… as long as there is creativity! 😉

Thanks again for all your submissions and thanks for playing with us!

Perce‘s Write-Up

————– START OF Perce‘s REPORT ——————

During a security audit of the Dojo, I discovered five distinct XSS vulnerabilities, each with varying impacts and risks. These vulnerabilities allow attackers to inject malicious scripts into the web application, potentially compromising the security and integrity of user data.

Classic XSS using HTML tags

Description:

This vulnerability allows an attacker to inject malicious HTML tags (e.g., <script>) into the web application, causing the browser to execute the embedded script.

Exploitation:

  • Payload:
<script>console.log(1)</script>
  • Insert the payload into an input field or any location in the web application where user-supplied data is rendered without proper sanitization.
  • The payload will be executed by the browser as it interprets the HTML content, triggering a console log with the value ‘1’.

Impact/Risks:

This can lead to unauthorized access to sensitive information, session hijacking, defacement of the web application, or execution of other malicious actions in the context of the affected user.

Remediation:

Implement proper input validation and output encoding for all user-supplied data. Consider using Content Security Policy (CSP) to further mitigate the risk.

XSS within the original <script> tags

Description:

This vulnerability occurs when an attacker can inject their own JavaScript code inside existing <script> tags without breaking out of them.

Exploitation:

  • Payload:
`};console.log(2);{`
  • Locate a <script> tag in the web application where user-supplied data is used within the script without proper sanitization.
  • Insert the payload in the appropriate location within the script, effectively closing the original object or function and executing the console.log(2) before resuming the script with an open object or function.
  • The payload will be executed by the browser, triggering a console log with the value ‘2’.

Impact/Risks:

Similar to the Classic XSS, this vulnerability can lead to unauthorized access to sensitive information, session hijacking, defacement of the web application, or execution of other malicious actions in the context of the affected user.

Remediation:

Ensure that all user-supplied data is properly sanitized before being included inside script tags. Additionally, implement Content Security Policy (CSP) to limit the sources of script execution.

XSS inside the src attribute without breaking out of quotes

Description:

This vulnerability allows an attacker to inject a malicious URL into the src attribute of an HTML element, causing the browser to execute the content of the malicious URL.

Exploitation:

  • Payload:
data:,console.log(3)
  • Find an HTML element in the web application that uses the ‘src’ attribute, such as a <script> or <img> tag.
  • Replace the original ‘src’ value with the payload without breaking out of the quotes.
  • The browser will execute the payload when attempting to load the resource specified by the ‘src’ attribute, triggering a console log with the value ‘3’.

Impact/Risks:

This can lead to unauthorized access to sensitive information, session hijacking, defacement of the web application, or execution of other malicious actions in the context of the affected user.

Remediation:

Validate and sanitize user-supplied URLs and use allowlists for trusted sources. Implement Content Security Policy (CSP) to control the sources of external content.

XSS within the tag without breaking the original tag

Description:

This vulnerability occurs when an attacker can inject their own JavaScript code inside an existing HTML tag without breaking it or creating a new HTML tag.

Exploitation:

  • Payload:
onafterscriptexecute=console.log(4)
  • Find an HTML element in the web application where user-supplied data is used within the tag without proper sanitization.
  • Insert the payload within the existing tag without breaking it or creating a new tag.
  • The payload will be executed by the browser when it processes the onafterscriptexecute event, triggering a console log with the value ‘4’.

Impact/Risks:

Similar to other XSS vulnerabilities, this can lead to unauthorized access to sensitive information, session hijacking, defacement of the web application, or execution of other malicious actions in the context of the affected user.

Remediation:

Properly validate and sanitize user input, and use output encoding when rendering user-supplied data. Implement Content Security Policy (CSP) to further reduce the risk of XSS attacks.

DOM XSS within the input value without breaking out of quotes

Description:

This vulnerability occurs when an attacker can inject malicious JavaScript code into the value attribute of an HTML input element, causing the browser to execute the injected code when the DOM is manipulated by the application.

Exploitation:

  • Payload:
&#x22;onerror=console.log(5)&#x22;
  • Find an input element in the web application where the value is used to manipulate the DOM without proper sanitization.
  • Replace the input value with the payload without breaking out of the quotes.
  • The payload will be executed by the browser when the script tries to manipulate the DOM using the input value, triggering a console log with the value ‘5’.

Impact/Risks:

This can lead to unauthorized access to sensitive information, session hijacking, defacement of the web application, or execution of other malicious actions in the context of the affected user.

Remediation:

Implement proper input validation and output encoding for all user-supplied data. Use secure coding practices to ensure that DOM manipulation is done safely, and consider using Content Security Policy (CSP) to mitigate the risk.

Combined XSS Exploitation

The following steps explain how to trigger all five XSS vulnerabilities simultaneously using the provided payload:

  • Payload:
data:,console.log(3)//&quot;onerror=console.log(5);&quot;" onafterscriptexecute=console.log(4)<img src=x onerror=console.log(1);><svg/onload=console.log(1)>`};console.log(2);{`
  • Analyze the application’s source code to locate areas where each XSS vulnerability type can be exploited. Specifically, find the locations where user-supplied data is rendered without proper sanitization, such as in HTML tags, script tags, the ‘src’ attribute of elements, within custom tags, and as input values used for DOM manipulation.
  • Insert the payload in a location where the payload can exploit each of the vulnerabilities. The payload combines the exploitation techniques for all five XSS types:
    • The payload starts with an SVG element that triggers an console.log(3) upon loading (exploiting the Classic XSS vulnerability).
    • Next, the payload includes an onerror attribute that triggers an console.log(5) (exploiting the DOM XSS vulnerability within the input value).
    • The payload contains an onafterscriptexecute attribute that triggers a console.log(4) (exploiting the XSS vulnerability inside the tag).
    • An image element with a src attribute set to an invalid URL and an onerror attribute that triggers an console.log(1) is used (exploiting the XSS vulnerability inside the ‘src’ attribute).
    • Finally, the payload includes an SVG element with an onload attribute that triggers an console.log(1), followed by a script that breaks out of the original context and triggers an console.log(2) (exploiting the XSS vulnerability within the script tags).
  • Once the payload is inserted into the application, the browser will execute each part of the payload, triggering console.log 1 through 5, and confirming that all five XSS vulnerabilities have been exploited simultaneously.

It is strongly recommended to address these vulnerabilities promptly to ensure the security and privacy of [Application Name] users. Please consider implementing the provided remediation steps and consult security professionals if necessary.

————– END OF Perce‘s REPORT ——————

START HUNTING!🎯