The application seems pretty straightforward, we can register with an username, a password, and a secret. The goal of the challenge is to recover the secret of an administrator. SolutionĬhecking the source of the profile page, we can see some interesting information:įirst, the secret is shown in an input tag. We can see that we can edit part of our profile as well by using edit.php. This page will edit the “about” field of our user.We can also see that there is an administrator function commented in the html, hinting us of a potential XSS or similar attack, as the administrator will have a list of updated status in his dashboard. XSS tentatives will be proven to be unsuccessful, as we do not have access to the characters and we are not in an attribute. A bbcode function is however enabled on the application, allowing us to input interesting data, for example, Message will be translated to Message. The color bbcode injected, we can see the result:Īs shown in the screenshot, the parameter “test” is inserted inside a style tag, and since other characters are not correctly filtered, we can do a CSS injection: Testing all possible bbcodes, one, in particular will be interesting to us, color. Using that as input will change the background image of some HTML tags and generate a request to our website.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |