XSS Challenge - Twins of Ten


#1

This post is reposted here from labs.detectify.com - Twins of Ten

A while ago I found a vulnerable endpoint with some fun limitations. I though it could be exciting to see how you would go about breaking it.

The URL looked like this:

/feed?id=0123AAAAAAAAAA&id=0456BBBBBBBBBB&id=0789CCCCCCCCCC

It responded with a feed as HTML. The feed looked like this:

The numbers in the beginning of every ID had to be there, which meant you only had 10 characters per parameter to inject something. There were no limitations to what characters that could be injected, apart from the amount of characters injected per parameter. Also, since the injection point was both in the start tag as well as in the end tag, the string you injected for every ID repeated itself.

Here’s some example code in PHP that does the same thing so you could simulate the real life scenario:

<?
$q = urldecode($_SERVER['QUERY_STRING']);
$qs = explode('&', $q);
$qa = array();
$chars = 0;
foreach($qs as $q) {
	$q = explode('=', $q);
	array_shift($q);
	$s = implode('=', $q);
	if(strlen($s) > 10) continue;
	$chars += strlen($s);
	$qa[] = $s;
}
foreach($qa as $q) {
	echo "<0123$q><b x=\"x\">hejsan</b></0123$q>";
}
echo '<!-- '.$chars.' chars long -->';

So these are the requirements which are included in the above PHP-code:

  • Should alert(1) without any interaction.
  • Maxmium 10 characters per parameter.
  • Each parameter will repeat itself.
  • First time parameter is wrapped in <%s> and second time wrapped in </%s>. Payload could both take advantage of this or work without it.
  • There will be HTML code between the repetition of the parameter.
  • No new lines was present in the feed at all, in the above response this was just added for readability, the PHP-code simulates this behaviour.
  • Should work in (and/or) Chrome/Firefox/IE/Safari.
  • Try to make it bypass XSS Audit, at least in Chrome/Safari. It’s possible.

If you have a working payload, send me an email at frans at detectify dot com with “Twins of Ten solution” as the subject, please don’t write any hints to other people in the forum, the fun thing is to see how you all would go about solving it…:slight_smile: . I have a few Detectify-hoodies (three that is) to send out for the most shortest/creative solutions.

I was able to bypass it and I’ve created a secret gist at 6 Jun 2015 13:33:31 CEST with my own solution. I’ll post an explanation how I did it in this blog sometime next week, hopefully together with some fun contributions and versions of bypasses to this vulnerable code.