Adding link to the video presentation

Maltemo · Jan 22, 2024 · 12ad0ca · 12ad0ca
1 parent c1de69a
commit 12ad0ca
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/write-ups/pingCTF_2023_Web_i_see_no_vulnerability_fixed.html b/write-ups/pingCTF_2023_Web_i_see_no_vulnerability_fixed.html
@@ -197,7 +197,7 @@
 <code>a=</code> is taken as a parameter of the body tag, and <code>&lt;a href="</code> is interpreted as the value of the <code>a</code> parameter.</p><p>Next, <code>&lt;img src=a onerror=alert(2)&gt;</code> is interpreted, making the <code>alert(2)</code> pop on the screen.</p><p>But <code>DOMPurify</code> is only confronted to this payload :</p><pre><code class="html hljs">$<span class="hljs-string">' a='</span><span class="hljs-operator">&lt;</span>a href<span class="hljs-operator">=</span><span class="hljs-string">"'&gt;&lt;img src=a onerror=alert(2)&gt;"</span><span class="hljs-operator">&gt;</span>asd<span class="hljs-operator">&lt;</span><span class="hljs-operator">/</span>a<span class="hljs-operator">&gt;</span>
 </code></pre><p><code>$' a='</code> This part is basicaly ignored by <code>DOMPurify</code> parser.<br>
 The <code>&lt;a&gt;</code> tag is analyzed, the content of the <code>href</code> is ignored because it’s contained in a string.<br>
-That’s exactly where the javascript execution is placed, with a basic xss payload like <code>&lt;img src=x onerror=alert(1)&gt;</code>.</p><p>We were able to get the closing <code>&lt;/body</code> tag just before our payload thanks to the <code>$'</code> operator.</p><p>This exploit wouldn’t have been possible if the code used a templating engine instead of the <code>replaceAll</code> native JavaScript function.</p><p>When we inspect the behavior of the browser with this payload, we can see that every closing tags without an opening tag before are removed.</p><hr><p><a href="http://creativecommons.org/licenses/by-nc-nd/4.0/" target="_blank" rel="noopener"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-nc-nd/4.0/88x31.png"></a><br>This work is licensed under a <a href="http://creativecommons.org/licenses/by-nc-nd/4.0/" target="_blank" rel="noopener">Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License</a>.</p></div>
+That’s exactly where the javascript execution is placed, with a basic xss payload like <code>&lt;img src=x onerror=alert(1)&gt;</code>.</p><p>We were able to get the closing <code>&lt;/body</code> tag just before our payload thanks to the <code>$'</code> operator.</p><p>This exploit wouldn’t have been possible if the code used a templating engine instead of the <code>replaceAll</code> native JavaScript function.</p><p>When we inspect the behavior of the browser with this payload, we can see that every closing tags without an opening tag before are removed.</p><p><a href="https://youtu.be/BmPIFRT0NHI?si=tYI9Eyu9fMlOLoOE&t=2355">Link to the presentation I did in french about this subject.</a></p><hr><p><a href="http://creativecommons.org/licenses/by-nc-nd/4.0/" target="_blank" rel="noopener"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-nc-nd/4.0/88x31.png"></a><br>This work is licensed under a <a href="http://creativecommons.org/licenses/by-nc-nd/4.0/" target="_blank" rel="noopener">Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License</a>.</p></div>
     <div class="ui-toc dropup unselectable hidden-print" style="display:none;">
         <div class="pull-right dropdown">
             <a id="tocLabel" class="ui-toc-label btn btn-default" data-toggle="dropdown" href="#" role="button" aria-haspopup="true" aria-expanded="false" title="Table of content">