@ -12,17 +12,59 @@ funny for them to know it is me without anyone else knowing.
We were young and had `Inspect Element`ed a few things together,
so it was a safe bet that an HTML joke would let them know.
So I typed in my name like so:
I decided to write my name like so: `<b>Steve</b>`.
Steve is in reference to the [main character](https://minecraft.gamepedia.com/Player) in the video game Minecraft.
`BOLD_STEVE.JPG`
Now in theory this should have shown in in the leaderboard as: "<b>Bold Steve</b>"
<figure>
<imgsrc="/assets/img/qyf-xss/2-bold.png">
<figcaption>
<p>Me typing in my name as <spanclass="mono"><b>Steve</b></span>.</p>
</figcaption>
</figure>
Now in theory this should have shown in in the leaderboard as: "<b>Steve</b>"
However, to my horror and excitement, I saw this in the leaderboard:
`BOLD_STEVE_LEADERBOARD.JPG`
<figure>
<imgsrc="/assets/img/qyf-xss/3-steve-board.png">
<figcaption>
<p><spanclass="mono"><b>Steve</b></span> displaying in the leaderboard as bold text: <b>Steve</b></p>
</figcaption>
</figure>
The text "Steve" showed up **in bold** on the leaderboard.
This told me all I needed to know.
How did this happen? You might wonder.
### Server-Side Validation
Here is a great demonstration why you should do most of your validation on the server side.
As a user, I can edit any of the HTML, CSS, or Javascript your server serves to me.
Quiz your friends uses the `maxlength=20` HTML attribute on the name input field.
Imagine trying to fit in a script tag doing anything useful with 20 characters! Don't forget that includes the `<script>` tag.
That would leave 13 characters for Javascript.
Although I'm sure a genius would be able to [code golf](https://code.golf/) that, I know I couldn't.
Now obviously I can edit any HTML that a server has sent to me.
If I open up my inspect element window, I can go ahead and change that `maxlength` attribute to anything I want.
Let's change it to 100!
<figure>
<imgsrc="/assets/img/qyf-xss/5-maxlength.png"alt='An image of the Quiz Your Friends name input field with inspect element. THe code reads: <font class="style6"><input class="inputbutton" name="takername" type="text" id="takername" maxlength="20" width="425" placeholder="Your First Name" style="text-align: center; text-decoration:inherit; font-size:38px;" tabindex="-1"></font>'>
<figcaption>
Manually changing the maxlength attribute.
</figcaption>
</figure>
In theory, there is a way that a site can stop people from just putting in their name of any length: server-side validation.
The server *could* check to see if the input is too long and reject it if it is.
The Quiz My Friends server has *no such checks in place*.
Therefore, I can send an almost arbitrary load to them.
Being able to send something potentially very large (more than a few megabytes) is a vulnerability of its own.
Imagine being able to send entire executable programs as your "name" in one of these quizzes?
The text "Bold Steve" showed up **in bold** on the leaderboard.
This told me all I needed to know. To add a `<script>` tag was next.
#### Hacking:
@ -43,22 +85,6 @@ but there were no client-side OR server-side checks to make sure the name I was
If Javascript checked it, it would have stopped me (although maybe not a professional).
If the server checked it, it could have stopped almost anyone.
##### Server-Side Validation
As a side note, here is a great reason why you should do most of your validation on the server side.
As a user, I can edit any of the HTML, CSS, or Javascript your server serves to me.
Imagine trying to fit in a script tag doing anything useful with 20 characters?
`<script src="http:">`
There's your 20 characters! No more! Good luck trying to do anything useful with this!
The Quiz My Friends server has *no such checks in place*.
Therefore, I can send an almost arbitrary load to them.
Being able to send something potentially very large (more than a few megabytes) is a vulnerability of its own.
Imagine being able to send entire executable progrmas as your "name" in one of these quizes?
Tait Hoyem
4 years ago