airsmeller
SRC: https://library.m0unt41n.ch/challenges/air-smeller
This challenge had a bot component and a leave a review component. It was quiet clear the goal was to achieve XSS, but the inputs were sanitized using DomPurify v19.0.0. At first glance i spent a ton of time looking for other stuff (obviously didnt find anything), since most of the time dompurify is 100% a red herring / not the issue. But after the official qualifier there was alot of talk about people finding commits of fixes for dompurify bypasses, so i searched and found. -> DomPurify Commit
So it turns out DomPurify uses parse5 internally and parse5 considered style tag content within SVG's as safe and therefore didn't escape html content within them.
<svg><style>
Now next step would be too escape the style/css context into normal html context and this is achievable with confusing parse5 into thinking a new tag starts, with using <<sometag href="</" here which then will be filtered out... essentially resulting into parse5 providing us html context.
<svg><style><<malformed href="</"
Final step is now to complete our payload to pewrform some XSS, so we create a image element which allows us to execute js on error.
<svg><style><<malformed href="</" >img src=x onerror=alert("xss")></style></svg>
The rest is trivial, we can add a flag exfill payload triggering a hook with the document.cookie of the regularly visitng admin bot containing the flag.
SRC: https://library.m0unt41n.ch/challenges/air-smeller
This challenge had a bot component and a leave a review component. It was quiet clear the goal was to achieve XSS, but the inputs were sanitized using DomPurify v19.0.0. At first glance i spent a ton of time looking for other stuff (obviously didnt find anything), since most of the time dompurify is 100% a red herring / not the issue. But after the official qualifier there was alot of talk about people finding commits of fixes for dompurify bypasses, so i searched and found. -> DomPurify Commit
So it turns out DomPurify uses parse5 internally and parse5 considered style tag content within SVG's as safe and therefore didn't escape html content within them.
<svg><style>
Now next step would be too escape the style/css context into normal html context and this is achievable with confusing parse5 into thinking a new tag starts, with using <<sometag href="</" here which then will be filtered out... essentially resulting into parse5 providing us html context.
<svg><style><<malformed href="</"
Final step is now to complete our payload to pewrform some XSS, so we create a image element which allows us to execute js on error.
<svg><style><<malformed href="</" >img src=x onerror=alert("xss")></style></svg>
The rest is trivial, we can add a flag exfill payload triggering a hook with the document.cookie of the regularly visitng admin bot containing the flag.
