Yamagata21 XSS Challenges ~ Hacker`s PlayBook

Hello There!

In this write-up, I will share my exciting journey with Yamagata XSS challenges.

This walkthrough is for solutions and understanding of every stage. Let’s start with the first stage.

This stage is very simple because the application does not validate user input. and reflect the

input on the page. The solution for this stage is to use a simple “<script>” tag for the popup.

Payload : <script>alert(document.domain)</script>

Figure #a

In image a, we notice that the input is reflected on the page and when we try to inject the payload then the application is not sanitizing the input.

Figure #b

In image b, we observed that our payload is successfully run. Now let's move on to the second

stage.

Stage #2 - https://xss-quiz.int21h.jp/stage2.php

In this stage, the application is validating the input by adding the input value to the value attribute.

To solve this stage we have to close the input tag and add a script tag for the popup.

Payload : “><script>alert(document.domain)</script>

Figure #c

In image c, we can observe that the payload is added to the value attribute. To bypass this

validation we have to close the input tag with ( “> ) and then add the above payload for the popup.

Figure #d

Bingo!! Observe the response as per what we discussed above, after injecting the payload the

input tag is closed and the script tag is run after the input tag. Now Let’s move on next stage.

Stage #3 - https://xss-quiz.int21h.jp/stage-3.php

Next, in this stage, we tried to inject <h1>, <script>, etc. tags to observe the application response

on the input field and we noticed that every input is reflected on a webpage in (“ “) double-quotes.

But I notice something interesting part in the form code. The select tag value is also getting submitted

with the form and that’s the way we are going to solve this challenge.

Payload: <script>alert(document.domain)</script>.

Figure #e

With the help of a select tag, we generate a popup so replace the payload with the option-tag value

and write something on the search box and click on search. Notice that we complete the challenge.

Let’s move on next stage.

Stage #4: https://xss-quiz.int21h.jp/stage_4.php.

In this stage, I observed that the same stage 3 functionality is available in this stage. so I tried the

same payload and the same path to solve this challenge but didn’t get any popup. After a strong tea

I thought let's play with the code. So I inspected the webpage and I noticed that one hidden input tag is

submitting with the form. I've got a way to solve this challenge.

Payload: "><script>alert(document.domain)</script>

I changed the input type hidden to text and one input field appears on the screen. Then used the

above payload on a hidden input field. And now the popup appears on the screen.

Stage #5: https://xss-quiz.int21h.jp/stage--5.php

To solve this we just have to change the max length of the input tag to complete our payload.

Navigate the path = right-click and inspect the webpage > change the max length to as you want

> hit enter and type payload on input.

Payload : "><script>alert(document.domain)</script>

Great!! We can complete the challenge. Let's move on to the next stage.

Stage #6: https://xss-quiz.int21h.jp/stage-no6.php

I used the previous payload for this stage to understand how the application reacts and I observed

that the application is completely encoding greater than and less than sign ( <, >, ). And the value

attribute is getting closed by ( “ ) and alert(document.domain); is not encoded so I tried to use the

JavaScript events such as “onerror” or “onmouseover” and the payload are,

Payload: “ onmouseover=alert(document.domain).

With ( “ ) value attribute is closed and after that, all signs are encoded in the above image.

So next I tried to inject the given payload and noticed that the value tag is closed by ( “ ) and then

the payload is run.

Stage #7: https://xss-quiz.int21h.jp/stage07.php

In this stage, the application is adding the input value in the value attribute under double quotes,

but there is one interesting thing happening here. When I'm trying to inject string value before

the payload, The value attribute is getting closed and now it’s clear that after closing the value

attribute we are able to inject the payload.

Payload: lol onmouseover = alert(document.domain);

In the below image, the “ lol “ is completing the value attribute and after that, the javascript event

is triggered popup,

Stage #8: https://xss-quiz.int21h.jp/stage008.php

In this stage, the application is taking input and it creates a link. And the payload is getting reflated

as a link. I tried to use the javascript protocol and as soon as you click on payload it will show an

alert box.

Payload: javascript:alert(document.domain);

Stage #9: https://xss-quiz.int21h.jp/stage_09.php

This stage is not supported by current browsers because it depends on utf-7 support.

the value attributes under double quotes, but there is one interesting thing happening here. When

trying to inject a string value before the payload. The value attribute is getting closed it’s clear.

Stage #10: https://xss-quiz.int21h.jp/stage00010.php

In this stage, the application is removing the “ domain ” word to bypass this have to manipulate

the domain word eg: “domdomainain”.

Payload: "><img src=ss onerror='alert(document.domdomainain)'>

Thank You! Comments are always welcome, Happy Learning :)

Hacker`s PlayBook

Hacking is not just about breaking things—it's about understanding how they work and making them stronger

Saturday, May 7, 2022

Yamagata21 XSS Challenges

0 comments:

Post a Comment