Intigriti’s FEB-23 XSS Challenge Writeup
Create Page
As usual, go to the iframe page `https://challenge-0223.intigriti.io/create` and explore the page. Looking at the page, we found some functionalities that can be useful and can be modified, like the arrows by clicking on that we can change the avatar’s look and we can also add a custom background image. But while looking at the source-code nothing interesting was found.
So the summary, what all interesting we found on the create page:
- Moving arrow keys can change the avatar's look.
- We can provide an image background file.
View Page
Again going through the page and exploring it reveals some sensitive and juicy info. The Image name is not the same as our file name and the Created date is the recent date but the Image comment is taken from our file. Now looking at the source-code also reveals some juicy info.
The random number below Your “NFT” ID is our cookie and we can change our cookie to an XSS payload but in the source-code it reveals that the cookie is being sanitized.
Next while looking at the source code it reveals that multiple metadata is being extracted from the image and used in the view page but most of them are being sanitized again, but the Image name is not being sanitised because it is being hardcoded in the JSON object.
So the summary, what all interesting we found on the View page:
- We can modify the Image comment metadata in the image file.
- All of the metadata is being sanitized other than the Image name.
Exploit
Now we know that we can change the Image comment but we need to change the Image name for a successful XSS attack.
So here we will be trying an attack called parameter poisoning. You might have heard of this attack in this type of attack we actually try to confuse the server by providing multiple parameters with the same name and then checking if the response is unexpected or not.
Now if you look at the above image again and focus on the imgobj variable where the whole JSON string is being concatenated and then parsed to the further data for being processed but at the end of the JSON object our image comment metadata is also being added.
According to the parameter poisoning attack, we need to add one more imgName param in that object by using the imgComment param. Now how we will be changing the image metadata? we can use some online tools for that or we can simply use the most popular tool for images called ExifTool. Here we will be using exiftool to simply update the metadata of our image file (Remember any image file can work). So our payload will look something like this.
This command will simply create a new imgName param and trigger the parameter poisoning attack. Now once you upload this new image as a background image, you will see that the parameter poisoning attack was successful because when the JSON object was parsed the last imgName param was taken into consideration while parsing and our XSS was able to pop.
Conclusion
This attack was possible because the developer thought that the imgName parameter cannot be tampered with as it was hard coded but with the help of the parameter poisoning attack, we were able to change the imgName value and could execute our XSS.