WebVerse

Fermata

A piano-tuner booking site still has a debug comment baked into production. It echoes your input — right into an HTML comment.

Minatour

4 min read

Room Description

Fermata — figure 1

https://dashboard.webverselabs-pro.com/challenges/fermata

Scenario

Fermata connects clients with piano tuners. An old debug line left over from development drops the booking reference into an HTML comment so ops can scan View Source for bad IDs. It never occurred to anyone that comments are just text — not a fence.

Objective

A piano-tuner booking site still has a debug comment baked into production. It echoes your input — right into an HTML comment.

Initial Analysis

Okay, let's explore the application first and foremost.

Fermata — figure 2
Fermata — figure 3

The frontend code (and header) exposes the following endpoints:

<nav>
    <a href="/book">Book a tuning</a>
    <a href="/tuners">Our tuners</a>
    <a href="/posts">Notes from the bench</a>
  </nav>

The /tuners endpoint is just a list of the roster again:

Fermata — figure 4

and /posts is just a list of notes:

Fermata — figure 5

Since we know we have to provide some input anywhere, the only place that matters now is /book.

Finding the bug

The booking feature is as follows:

Fermata — figure 6

There's nothing off-putting from the source code besides a funky comment:

Fermata — figure 7
<!-- debug:booking-ref  -->

Let's create a booking and see the POST request.

Fermata — figure 8

Our POST request redirects us to the above page.

Fermata — figure 9

and in the Response of the GET request towards /book?ref=FM-2026-253350 we can see that our reference number gets added to two places, one of them being the funky comment.

Fermata — figure 10

Where is this reference number getting read from exactly though, since we do supply it in our URL. If we try to change it to test123 and it shows up in the response, we can control the input in the comment.

Fermata — figure 11
Fermata — figure 12

Yep, we can control the value for the reference number through /book?ref=te .

Exploitation

Let's try to simply add script tags with alert to see if we get a popup, and see how we should escape any kind of sanitization there is.

<script>alert(0)</script>
Fermata — figure 13

Okay, this doesn't work for now, as our script tags get added in the comment unfiltered, but in the reference number our tags do get filtered out, so it gets rendered as a string/text.

Fermata — figure 14

So a HTML comment has the following format:

<! -- anything -->

Since we have control over input going into the field, if we close the comment earlier and then add our script tags, we should be able to escape the comment and then the browser will render our code.

So this didn't work:

<script>alert(0)</script>

<!-- debug:booking-ref <script>alert(0)</script> -->

Now we need to try with the comment escape, we close our payload first:

--><script>alert(0)</script>

Which should get rendered as:

<!-- debug:booking-ref --><script>alert(0)</script> -->

and we have a successful pop:

Fermata — figure 15
Fermata — figure 16

As we can now see, we successfully closed the comment to input our script tags so the browser can render them:

Fermata — figure 17

Read more