Prompt

We've uncovered a todo list made by the nefarious Liber8tion group. There seems to be a flag hidden in the admin user's cookies, the admin user periodically checks the todo list to make sure employees are actively working, can you extract the flag from them? Note: Your scope is limited to HTTPS & you may not use automated brute-force tools for this challenge.

Walk-Through

In this challenge, you’ll learn to use cross-site scripting to access hidden information. Cross-site scripting (XSS) is a type of attack where malicious code is injected into a website, and the script is executed when other users visit the site. XSS can be used to obtain a user’s session cookie, allowing an attacker to hijack another’s session.

Start this challenge by visiting the webpage. Type something in the form box and submit it.

Notice how whatever is entered is added as output on the webpage.

Lets inspect the website using developer tools. Be sure to expand the drop downs for the different html elements. Below, notice how the text that is entered to the form appears on the website.

Throughout this walkthrough, screenshots of the developer tools section (on the right) will be shown without the rendered content in the viewport (on the left) and vice versa.

What does this form do? Take note of the form and the script elements.

This is a close-up of the form element on the page. Notice that what is submitted to the form it is stored as a value. A script is linked on the last line shown.

Lets see what the script does with the input from the form. Navigate to the sources tab and find /static/app.js. The screenshot below shows the contents of the app.js script.

On line 14, the script is listening for new items to be submitted through the form. When an item is submitted, the addItem() function on line 1 runs. From line 13, it looks like whatever is entered to the form is stored in a list of ‘items’.

Comments have been added to each line of the addItem() function below to illustrate what the function does.

function addItem() {
  // get the new item you entered to the form
  const item = document.getElementById('item');
  // get the value of what was submitted (this is the entire string you enter)
  const { value } = item; // 
  // send a POST request to the '/item' endpoint
  fetch('/item', {
    method : 'POST', // the HTTP method being used
    headers : {
      'Content-Type' : 'application/json', // indicate the request body is JSON
    },
    // send the value entered to the form as JSON string 
    body : JSON.stringify({ item : btoa(value) }),
  // log the response to the developer console
  }).then(console.log).catch(console.log);
}

Whatever is input into the form will be sent to the web server as a POST request. This means that the server on the backend will receive the data sent in the body of the request, process it, and send back a response to the TODO webpage.

Lets see if cross-site scripting is possible by sending html formatted text like <b>Test</b> through the form to test if the input is sanitized.

It appears the text that was submitted was completely unmodified by the backend, and was sent back as a response to this page. Notice how the text is bolded; this means the formatting was not removed. Therefore, it’s possible to send a script to the server as well.

According to the challenge description, “there seems to be a flag hidden in the admin user’s cookies”. How do we get this flag? Take note that when bringing up developer tools, that you are not viewing the admin’s account. When inspecting the cookies dropdown, whatever is there are your cookies.

Then where are the admin user’s cookies? On the computer the admin is using to interact with the ToDo webpage.

How is to possible to access cookies from this other machine? A quick web search of “how to access cookies with JavaScript” should indicate that document.cookie is the property that holds a string of the cookies for the webpage.

Source: https://www.w3schools.com/js/js_cookies.asp

Recall script/app.js from earlier. When the new item is added, the value is sent to the server where it processes a response. If just “document.cookie” is submitted through the form, then the string “document.cookie” will be added to the to do list, not the actual admin cookies. For a cookie value to appear, instead of the string submitted through the form, there needs to be script execution on the page.

To do this, document.cookie needs to be sent via fetch within a script so that the script is added to the list. This way whoever visits the page will receive the list with the script, and the script will execute on their page.

Use lines 4-11 of script/app.js, but replace value with document.cookie . Submit this entire code block through the form box on the webpage.

<script>
	fetch('/item', { 
		method : 'POST',
		headers : {
			'Content-Type' : 'application/json',},
		body : JSON.stringify({ item : btoa(document.cookie) }),
	}).then(console.log).catch(console.log);
</script>

You may notice that a bullet appears but no text. Check the elements page again. Notice that the script is added to the list of items. The script will be executed when anyone visits the page.

Submit a blank entry to the form or refresh the page for the script to execute.

The flag has been partially redacted. Watch the video walkthrough for more detail on how the script works in this challenge.

In order to find the User Agent, do the same thing except use navigator.userAgent (source).

<script>
	fetch('/item', { 
		method : 'POST',
		headers : {
			'Content-Type' : 'application/json',},
		body : JSON.stringify({ item : btoa(navigator.userAgent) }),
	}).then(console.log).catch(console.log);
</script>