[http://ctf.infosecinstitute.com/] Level1 writeup
Link to the ctf chall: ctf.infosecinstitute.com/ctf2/
This challenge is basically about javscript and how to use javascript debugger. I found a really uselful tutorial here http://meeech.amihod.com/getting-started-with-javascript-debugging-in-chrome/. about it here at http://meeech.amihod.com/getting-started-with-javascript-debugging-in-chrome/. Let’s
open it’s source and clearly we can bypass the first layer of validation by edit the html.
Cause everything is client side we can change siteName and siteURL to what ever we want after these lines of code. Set a breakpoint after these and use the 'Evaluate in console' functionality of the javascript debugger.
Playing around ... try to inject other things and have fun .
This challenge is basically about javscript and how to use javascript debugger. I found a really uselful tutorial here http://meeech.amihod.com/getting-started-with-javascript-debugging-in-chrome/. about it here at http://meeech.amihod.com/getting-started-with-javascript-debugging-in-chrome/. Let’s
open it’s source and clearly we can bypass the first layer of validation by edit the html.
Now we can input what ever we want into name and url field. Let's inject some javascript into name
<script>alert('Ex1')</script>
http://www.google.com
After adding the code ... nothing happen. There is a second layer of protection which escapes our '<' and '>' characters into '<' and '>'. Looking at the javascript code
var siteName = $(".ex1 input[type='text']").val().trim().replace(/</g, "<").replace(/>/g, ">");
var siteURL = $(".ex1 input[type='url']").val().trim().replace(/</g, "<").replace(/>/g, ">");
Continune the script and done !!
Comments
Post a Comment