Millrace
A brewery site's debug pane echoes your user-agent. Maybe don't let you set that.
Room Description
https://dashboard.webverselabs-pro.com/challenges/millrace
Scenario
Millrace is a microbrewery and taproom that hosts live music. Their homepage has a tiny debug pane echoing the visitor's user-agent into an HTML comment for troubleshooting. The /debug page lets anyone set their session-scoped UA to any string they like. You can see the problem from here.
Objective
A brewery site's debug pane echoes your user-agent. Maybe don't let you set that.
Initial Analysis
This is listed as a Hard XSS challenge, but honestly, it seems pretty straightforward based on the challenge description.
At the lower end of the landing page we have a diagnostics panel where our User-Agent gets reflected.
The available endpoints from the navigation menu are as follows:
<nav>
<a href="/">Chalkboard</a>
<a href="/pours">Tap list</a>
<a href="/events">Events</a>
<a href="/tour">Tour</a>
<a href="/debug">Kiosk diag</a>
</nav>
Finding the bug
/pours
This is just a static list of options for draft beers.
/events
This is just a static list of events that are happening in the pub.
/tour
This is a tour happening at the brewery that you can pay for, just anotehr static list of information.
/debug
This is where our payload should be provided, or through Burp Suite changing the User-Agent header, or through ModHeader, any way you can really manipulate the User-Agent, even cURL would work.
Exploitation
Alrighty, let's see what the panel on the landing page looks front-end wise.
Aha, that's the issue right away, our User-Agent gets reflected in a comment, I think we can just close the comment out earlier and include our payload that would get executed, let's try.
--><script>alert(1)</script>
Now time to go back to the landing page.
We got an alert popup, let's click OK and continue to see the flag.
and if we open the page source we can see where our XSS is getting reflected.
