This repository has been archived by the owner on Jul 4, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 222
Shibuya.XSS JIZEN GAKUSHU Challenge
Cure53 edited this page Mar 30, 2016
·
5 revisions
This challenge was posted by Masato Kinugawa in March 2016, accompanying the Shibuya.XSS event in Tokyo.
- http://shibuya.vulnerabledoma.in/jizen (Challenge Website)
- http://shibuyaxss.connpass.com/event/28232/ (Event Website)
- https://speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-7 (Slides by Masato)
The model solution created by Masato Kinugawa:
Note: You have to use unencoded characters instead of %22 and %3c, copy&paste might break the PoC. You can also click here to play with the PoC: http://is.gd/6KL7sV
Tested and confirmed on MSIE11 and Edge (!).
There is several reasons why this works, and several tricks being used to attack the seemingly secure page:
- First of all, jQuery mobile performs a navigation that is supported by the use of
history.pushState() - Check out the jQuery Mobile docs about
hashListeningEnabledandpushStateEnabled: http://demos.jquerymobile.com/1.0/docs/api/globalconfig.html - This is not a bug in itself, but combined with the existing JavaScript on the page, it becomes a vulnerability
- As can be seen, on the website, a "tracking image" is built, using
location.pathname - Combining
history.pushState()with amhtml:protocol handler allows to inject unencoded payload into thelocation.pathnameproperty - So, first the jQuery mobile framework "navigates" to the new URL, then the now infected
location.pathnameproperty will be used to create a HTML element - Given the lack of encoding, we can now break the HTML string and create an active element. Aaaand, XSS.
Challenge solved :)