XSS Playground

CTF challenge XSS Playground by zseano. Level:Moderate, Name:XSS Playground by zseano Flags:1

This challenge opens a webpage http://35.227.24.107/XXXXXXXXXX/index.php containing details such as person photo, name, place, comments, give feedback...etc. There is option to add comment, feedback. After providing feedback, a message will be displayed and URL used is http://35.227.24.107/XXXXXXXXXX/index.php?msg=Thanks,%20your%20feedback%20has%20been%20received.%20We%20appreciate%20you%20sharing%20your%20feedback. What ever message we send in msg will be displayed on the webpage.

In webpage, there is no permission to see email, it says Error 403: You are not allowed to view emails. This must be the entry point. When checked the sources in inspection, there are files custom.js, feedback.js. In custom.js there are apis defined such as action.php, feedback.php, getemail.
Tried checking each api using the usrl http://35.227.24.107/XXXXXXXXXX/api/feedback.php, http://35.227.24.107/XXXXXXXXXX/api/getemail but these are not giving any response.

On further checking the custom.js file there is a header being set t.setRequestHeader("X-SAFEPROTECTION","enNlYW5vb2Zjb3Vyc2U="). Tried using this header for getemail api. Curl command will be curl -v -H "X-SAFEPROTECTION":"enNlYW5vb2Zjb3Vyc2U=" http://35.227.24.107/XXXXXXXXXX/api/action.php?act=getemail. This gave the email with the flag.

Comments

sgiacomel said…
Just a note, the header needs to be uppercase, to force that I had to pass the flag --http1.1 to the curl command
kat6541 said…
Hello, thanks for the blog, I was just wondering how did you know that the header had to be uppercase for it to work.Thanks
wilson wei said…
In custom.js file, the header for "X-SAFEPROTECTION" is uppercase. Therefore it's better to keep it.
When send request using http 2, it will automatically change it to "X-Safeprotection", so, you need to force it using http 1.1
tea4two said…
it stumped me till i understood you have to force it with the curl command then i got the flag

Popular posts from this blog