tait
/
tait.tech
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '01a14c77de'
${ noResults }
tait.tech/_site/2020-04-27-quiz-your-friend...

117 lines
4.4 KiB
Raw Blame History Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>The "Quiz Your Friends" XSS Exploit | tait.tech</title>
<link rel="stylesheet" href="/assets/css/style.css">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
<div id="wrapper">
<nav>
<input type="checkbox" id="menu">
<label for="menu">&#9776;</label>
<div class="menu-content">
<a href="/" class="nav-link" >Home</a>
<a href="/tutoring/" class="nav-link" >Tutoring</a>
<a href="/blog/" class="nav-link" >Blog</a>
<a href="/links/" class="nav-link" >Links</a>
<a href="https://github.com/TTWNO/" class="nav-link" target="_blank" rel="noopener noreferrer" >Code</a>
</div>
</nav>
<h1>The "Quiz Your Friends" XSS Exploit</h1>
<h4 class="post-date line-under"></h4>
<div class="article">
<h2 id="todo-write-intro">TODO write intro</h2>
<h2 id="how-i-found-this-exploit">How I Found This Exploit</h2>
<p>While filling in one of my friends surveys I thought it would be
funny for them to know it is me without anyone else knowing.
We were young and had <code class="highlighter-rouge">Inspect Element</code>ed a few things together,
so it was a safe bet that an HTML joke would let them know.</p>
<p>So I typed in my name like so:</p>
<p><code class="highlighter-rouge">BOLD_STEVE.JPG</code></p>
<p>Now in theory this should have shown in in the leaderboard as: “&lt;b&gt;Bold Steve&lt;/b&gt;
However, to my horror and excitement, I saw this in the leaderboard:</p>
<p><code class="highlighter-rouge">BOLD_STEVE_LEADERBOARD.JPG</code></p>
<p>The text “Bold Steve” showed up <strong>in bold</strong> on the leaderboard.
This told me all I needed to know. To add a <code class="highlighter-rouge">&lt;script&gt;</code> tag was next.</p>
<h4 id="hacking">Hacking:</h4>
<p>So I went on my merry way thinking about ways to use malicious javascript.
Then, I thought that might be mean, so I decided to warn users instead.
I filled in the name with a script tag and a call to <code class="highlighter-rouge">alert()</code> to warn the user about this site.</p>
<p><code class="highlighter-rouge">JAVASCRIPT_NAME.JPG</code></p>
<p>I ran out of room before I could finish it. Hmmm.
What if I do “Inspect Element” and manually override the max-length attribute?</p>
<p>The unfortunate truth is: this worked as well!</p>
<p>Not only could I manually set the max-length by changing it in the HTML,
but there were no client-side OR server-side checks to make sure the name I was sending was less than or equal to 20 characters.</p>
<p>If Javascript checked it, it would have stopped me (although maybe not a professional).
If the server checked it, it could have stopped almost anyone.</p>
<h5 id="server-side-validation">Server-Side Validation</h5>
<p>As a side note, here is a great reason why you should do most of your validation on the server side.
As a user, I can edit any of the HTML, CSS, or Javascript your server serves to me.</p>
<p>Imagine trying to fit in a script tag doing anything useful with 20 characters?</p>
<p><code class="highlighter-rouge">&lt;script src="http:"&gt;</code></p>
<p>Theres your 20 characters! No more! Good luck trying to do anything useful with this!</p>
<p>The Quiz My Friends server has <em>no such checks in place</em>.
Therefore, I can send an almost arbitrary load to them.
Being able to send something potentially very large (more than a few megabytes) is a vulnerability of its own.
Imagine being able to send entire executable progrmas as your “name” in one of these quizes?</p>
<h2 id="executing-an-exploit">Executing An Exploit</h2>
<p>Suppose were on a vulnerable site like <a href="https://www.quizyourfriends.com/">Quiz Your Friends</a>
and you decide you want to hack your friends quiz!
How can this be done?</p>
<h4 id="creating-a-quiz">Creating A Quiz</h4>
<p>Here is my quiz below:</p>
<p><code class="highlighter-rouge">CREATING_QUIZ.IMG</code></p>
<h4 id="setting-a-name-with-an-html-tag">Setting A Name With an HTML Tag</h4>
<p>Just like the image above, about how I found out about this vulnerability: go ahead and use an HTML tag in your name to test this out.</p>
<p><code class="highlighter-rouge">BOLD_ITALIC_STEVE.JPG</code></p>
</div>
<footer>
This page is mirrored on <a href="https://beta.tait.tech/2020-04-27-quiz-your-friends-xss.html">beta.tait.tech</a>.
</footer>
</div>
</body>
</html>
Reference in new issue View Git Blame Copy Permalink