This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.
<!DOCTYPE html><htmllang="en"><head><metacharset="UTF-8"><title>The "Quiz Your Friends" XSS Exploit | tait.tech</title><linkrel="stylesheet"href="/assets/css/style.css"><metaname="viewport"content="width=device-width, initial-scale=1.0"><metaname="author"content="Tait Hoyem"><metaname="keywords"content=""><metaname="description"content=""></head><body><divid="wrapper"><header><nav><inputtype="checkbox"id="menu"><labelfor="menu">☰</label><divclass="menu-content"><ahref="/"class="nav-link">Home</a><ahref="/blog/"class="nav-link">Blog</a><ahref="https://github.com/TTWNO/"class="nav-link"target="_blank"rel="noopener noreferrer">Github</a></div></nav></header><main><article><header><h1class="post-title">The "Quiz Your Friends" XSS Exploit</h1><timedatetime=""class="post-date"></time></header><hr><h2id="todo-write-intro">TODO write intro</h2><h2id="how-i-found-this-exploit">How I Found This Exploit</h2><p>While filling in one of my friend’s surveys I thought it would be funny for them to know it is me without anyone else knowing. We were young and had <codeclass="language-plaintext highlighter-rouge">Inspect Element</code>ed a few things together, so it was a safe bet that an HTML joke would let them know.</p><p>I decided to write my name like so: <codeclass="language-plaintext highlighter-rouge"><b>Steve</b></code>. Steve is in reference to the <ahref="https://minecraft.gamepedia.com/Player">main character</a> in the video game Minecraft.</p><figure><imgsrc="/assets/img/qyf-xss/2-bold.png"/><figcaption><p>Me typing in my name as <spanclass="mono"><b>Steve</b></span>.</p></figcaption></figure><p>Now in theory this should have shown in in the leaderboard as: “<b>Steve</b>” However, to my horror and excitement, I saw this in the leaderboard:</p><figure><imgsrc="/assets/img/qyf-xss/3-steve-board.png"/><figcaption><p><spanclass="mono"><b>Steve</b></span> displaying in the leaderboard as bold text: <b>Steve</b></p></figcaption></figure><p>The text “Steve” showed up <strong>in bold</strong> on the leaderboard. This told me all I needed to know. How did this happen? You might wonder.</p><h3id="server-side-validation">Server-Side Validation</h3><p>Here is a great demonstration why you should do most of your validation on the server side. As a user, I can edit any of the HTML, CSS, or Javascript your server serves to me.</p><p>Quiz your friends uses the <codeclass="language-plaintext highlighter-rouge">maxlength=20</code> HTML attribute on the name input field. Imagine trying to fit in a script tag doing anything useful with 20 characters! Don’t forget that includes the <codeclass="language-plaintext highlighter-rouge"><script></code> tag. That would leave 13 characters for Javascript. Although I’m sure a genius would be able to <ahref="https://code.golf/">code golf</a> that, I know I couldn’t.</p><p>Now obviously I can edit any HTML that a server has sent to me. If I open up my inspect element window, I can go ahead and change that <codeclass="language-plaintext highlighter-rouge">maxlength</code> attribute to anything I want. Let’s change it to 100!</p><figure><imgsrc="/assets/img/qyf-xss/5-maxlength.png"alt="An image of the Quiz Your Friends name input field with inspect element. THe code reads: <font class="style6"><input class="inputbutton" name="takername" type="text" id="takername" maxlength="20" width="425" placeholder="Your First Name" style="text-align: center; text-decoration:inherit; font-size:38px;" tabindex="-1"></font>"/><figcaption> Manually changing the maxlength attribute. </figcaption></figure><p>In theory, there is a way that a site can stop people from just putting in their name of any length: server-side validation. The server <em>could</em> check to see if the input is too long and reject it if it is. The Quiz My Friends server has <em>no such checks in place</em>. Therefore, I can send an almost arbitrary load to them. Being able to send something potentially very large (more than a few megabytes) is a vulnerability of its own. Imagine being able to send entire executable programs as your “name” in one of these quizzes?</p><h4id="hacking">Hacking:</h4><p>So I went on my merry way thinking about ways to use malicious javascript. Then, I thought that might be mean, so I decided to warn users instead. I filled in the name with a script tag and a call to <codeclass="language-plaintext highlighter-rouge">alert()</code> to warn the user about this site.</p><p><codeclass="language-plaintext highlighter-rouge">JAVASCRIPT_NAME.JPG</code></p><p>I ran out of room before I could finish it. Hmmm. What if I do “Inspect Element” and manually override the max-length attribute?</p><p>The unfortunate truth is: this worked as well!</p><p>Not only could I manually set the max-length by changing it in the HTML, but there were no client-side OR server-side checks to make sure the name I was sending was less than or equal to 20 characters.</p><p>If Javascript checked it, it would have stopped me (although maybe not a professional). If the server checked it, it could have stopped almost anyone.</p><h2id="executing-an-exploit">Executing An Exploit</h2><p>Suppose we’re on a vulnerable site like <ahref="https://www.quizyourfriends.com/">Quiz Your Friends</a> and you decide you want to hack your friend’s quiz! How can this be done?</p><h4id="creating-a-quiz">Creating A Quiz</h4><p>Here is my quiz below:</p><p><codeclass="language-plaintext highlighter-rouge">CREATING_QUIZ.IMG</code></p><h4id="setting-a-name-with-an-html-tag">Setting A Name With an HTML Tag</h4><p>Just like the image above, about how I found out about this vulnerability: go ahead and use an HTML tag in your name to test this out.</p><p><codeclass="language-plaintext highlighter-rouge">BOLD_ITALIC_STEVE.JPG</code></p></article></main><hr><footer> This page is mirrored on <ahref="https://beta.tait.tech/2020-04-27-quiz-your-friends-xss.html">beta.tait.tech</a>. </footer></div></body></html>
