Rill
Volunteer sign-up with a 24-character cap on search queries. Safer, right?
Room Description
https://dashboard.webverselabs-pro.com/challenges/rill
Scenario
Rill is a creek-conservation volunteer network. Their sign-up search has a 24-character cap because the dev heard "shorter queries are safer." There's no other filter.
Objective
Volunteer sign-up with a 24-character cap on search queries. Safer, right?
Initial Analysis
Alrighty, let's fire, or well, cool this challenge up, out, whatever, I can't really think of a witty way to say this, but the web app is basically about clean water and volunteering services.
We have the following endpoints available to us:
<nav>
<a href="/report">Field SMS</a>
<a href="/creeks">Watersheds</a>
<a href="/events">Cleanups</a>
<a href="/volunteers">Volunteer sign-up</a>
</nav>
The most intriguing ones are Field SMS and Volunteer sign-up.
Finding the bug
/volunteers
A simple sign up sheet to help out.
The frontend for the form looks like this:
<form class="rl-signup" method="post" action="/volunteers">
<label>Name <input name="name"></label>
<label>Phone <input name="phone" type="tel"></label>
<label>Creek
<select name="creek">
<option>Woolaver Run</option>
<option>Pike Creek</option>
<option>Sinking Brook</option>
<option>Limestone Fork</option>
<option>Bonfire Run</option>
</select>
</label>
<button>Sign up</button>
</form>
but when we submit the data we get the following response:
So this is a dead end? Unless we need to use a PUT request or something here, not sure what it could be.
/creeks
This is just a static list:
/events
This is also a static list:
/report
Now this is where the fun starts! We have a telephone! We can exchange messages with someone, let someone know there is trouble on the water, but the issue is, we can only send 24 characters.
or well, only 24 characters are previewed, we can definitely send more characters.
Exploitation
Well, the challenge is to find a small under 24 character payload that executes, that isn't that hard since we have Google by our side (plus we used a short payload for other XSS challenges, the one removing everything after a space (empty) character). It is explicitly stated that there is no other filter, so we don't even need to look at the code to see how we are getting stripped.
https://github.com/terjanq/tiny-xss-payloads
There are bunch of fun ones, let's use a payload that uses <svg> since that is quite a short tag.
<svg/onload=alert(1)>
We go ahead and plop that in our message field and:
Bam wham, thank you mam, we got the flag.
