CTF(Capture The Flag) provided by InfoSecInstitude
First level1 is simple cross site scripting(XSS) exercise. This is simple webpage that provide ‘Site Name’ and ‘Site URL’ as input values. Provided hint is disabling front-end validation.
1. Checking the webpage source
By pressing [F12]key or right-click “view page source”, you can check out the source. Based on the source, there’re couples of attributes for the input field.
- type = “text” //one-line text input field
- placeholder=”Name of site” //explains or description for the input value
- maxsize=”10″ // text length will be 10 characters long
- class=”form-control” // defined class is “form-control” (you can see css details on
- linked css file)
- pattern=”[A-Za-z]+” // alphabet only
- required name=”name” //name is “name”
- type = “url” //url input
- placeholder=”URL of site” //explains or description for the input value
- required maxsize=”15″ // text length will be 10 characters long
- class=”form-control” // defined class is “form-control” (you can see css details on linked css file)
- name=”url” //name is “url”
2. Edit input type and attributes
You can easily change input’s attributes to type more than 15 characters or numeric or special letters.
In this example, I delete “pattern” and change maxsize as “155”.
3. Try XSS and see if it’s working!! or Find another validation
After editing SiteName’s input attributes, we can type basic XSS such as . But some reasons, it’s not showing alert message on the page. It’s literally recognized as letters and typed into the webpage. Which easily means that there’s another input validation in this webpage besides than input attributes.
It seems obvious to find ex1.js have input validation. (name is obvious and you can easily find the trim().replace(<) part also).
replace(/A/,B) means replacing A into B. ‘g’ stands for global which causes replace-call to all matching not just first one. So the source means change “<” into “<“. “<” is HTML encoded characters for “<“.