Hey people,
here's a small XSS challenge:
##Setup
> cat webserver.py
import BaseHTTPServer
import re
class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header('Content-type','text/html')
self.end_headers()
self.wfile.write(self.__renderHTML())
return
def __renderHTML(self):
matches = re.search("^/(\?)([^=]+)\=([^\&]+)", self.path)
if matches:
var = matches.group(3)
return "
Challenge"
else:
return ""
def run(server_class=BaseHTTPServer.HTTPServer, handler_class=RequestHandler):
server_address = ('localhost', 8000)
httpd = server_class(server_address, handler_class)
httpd.handle_request()
httpd.serve_forever()
run()
> python2.7 webserver.py
127.0.0.1 - - [17/Nov/2014 12:11:28] "GET /?foo=bar HTTP/1.1" 200 -
Then use a browser to send a GET-parameter to the webserver. E.g. http://localhost:8000/?foo=bar
> curl "http://localhost:8000/?foo=bar"
Challenge
##Task
Your task is to trigger a XSS.
##Rules
- Execute alert(document.domain)
##Hall of fame
- Peter Jaric (@peterjaric) - Unintended solution by defeating the regex. (Code updated and it shouldn't work anymore) http://localhost:8000/&a='+alert(1)+'
- Mathias Karlsson (@avlidienbrunn) - localhost:8000/?foo='-alert(document.domain)-' works in Safari
##Contact
- Twitter @internetwache