Leveraging Server Side XSS (PDF) for Auth Bypass - "My Music" [INTIGRITI 1337UP LIVE CTF 2023]

Опубликовано: 02 Ноябрь 2024
на канале: Intigriti

1,747

🚩 Video walkthrough for the "My Music" Web challenge featured in our 1337UP LIVE (CTF) competition 2023! The challenge required players to identify a server-side XSS vulnerability in the PDF generator function. The vuln allows source code to be read, to gain a strong understanding of the application logic. Using this, players would find out that user objects are stored in JSON format, as well as the location and file name format. They would also see that only users with an "isAdmin: true" property would receive the flag. From here, they could read the puppeteer documentation for the PDF function and discover that the user-controllable options could allow an attacker to specify the write path of the PDF. Finally, by providing the path of their user object, they could overwrite the contents. Since the PDF is invalid JSON data, it would trigger an error that ensures code responsible for restricting user access (403) would never be reached 😎 #1337UP #1337UPLIVE #CTF #INTIGRITI #HackWithIntigriti

Check out the accompanying writeup here: https://github.com/Crypto-Cat/CTF/blo...

🐛INTIGRITI 1337UPLIVE CTF🐞
https://ctftime.org/event/2134
https://ctf.intigriti.io
/ discord

Overview:
0:00 Intro
0:18 Explore site functionality
0:58 Identify HTML injection
1:31 Optimising burp config
3:33 Server-side XSS (Dynamic PDF)
4:47 Use local file read to review source code
9:28 Understand the access control process
12:53 Find "path" in puppeteer docs
14:42 Overwrite user object with PDF (invalid JSON)
16:47 Recap
17:45 Conclusion

🧑💻 Sign up and start hacking right now - https://go.intigriti.com/register

👾 Join our Discord - https://go.intigriti.com/discord

🎙️ This show is hosted by / _cryptocat ( ‪@_CryptoCat‬ ) & / intigriti

👕 Do you want some Intigriti Swag? Check out https://swag.intigriti.com