So hey guys few weeks ago i stumbled upon infosec ctf challenge.Infosec helped me a lot in knowing some tools have not got to know at the beginning of my pentesting career.I will take you through
CTF #2: Practical Web Hacking (new) ALL LEVELS I CAN SOLVE

So as we can see the page it says XSS script valunrability.
Check more on what XSS is on

https://owasp.org/www-community/attacks/xss/
.
Okay so the page says the challenge is to make the page gives us an alert of Ex1.something not in the page logic.So what do we do next.In every ctf always check out the hints as it is very important.
We know see we have to get an alert box on the page saying ex1.

Look at the hint.
http://ctf.infosecinstitute.com/ctf2/exercises/ex1.php.

We could all see in the following hint that says
"You should disable the front end validation"
If you click the link to the excerise and try saving a link with a number or incorrect.It automatically tells us to correct the field.
Why because there is a validation on the client side as this is just a JavaScript posting back to the client side.This does not have anything to do with backend or server side so lucky we.Let try and use our 'INSPECT ELEMENT TOOL IN OUR BROWSER'.Right click the page to inspect in this case infosec page link above me.

-

My aim is to get an alert on the page .How do I do that?............Think about it....what language is used mostly for client side script . Of course it JavaScript .So check out the oswap js payload script for


XSS.https://owasp.org/www-community/xss-filter-evasion-cheatsheet.


Here you will see ton load ranging from simple XSS to complex ones that could bypass firewall.I love images so I opted for the image payload.

What a nice payload

I would have pasted the payload it seems kudos to seen for protecting nairaland with
Intrusion detection system.see the error I got why trying to post the payload

He blocked his site from this kind of attack lol.This forum is well protected similar to the CTF I am solving .CTF is like exam.it not real.But see an example of ethical hacking now.This real practice you are most likely to face what I faced Intrusion detection system will block you if you try any mess.Anyways we could get around this

So this is somewhat related to the CTF am solving inorder for you to see the payload I used we need to use what is called html on entities and special characters .So < becomes &gt; and so > becomes &lt; .And other special characters so when your browsers see that it does not execute it as part of the html page rather it displays it as a symbol.
So the payload I used is

EXPLANATION OF THE PAYLOAD
the img tag tries to load a page from x as a source using src which will result to an error as this is deliberately intended.so onerror which will definitely happen we have our alert xss accomplished.lol

So back to where I stopped before trying to post and explain the payload.looking at each at each html attribute we could see that the form has been contained in the div container tag looking at the form source code action does nothing other than to echo what I posted in the text fields.
Looking label tag which contains 'site name' we could clearly see the restrictions placed on the input element.The following attribute are the problem cause which do not allow us to be able to get our payload in.
maxsize 10
pattern {A-Za-z}
.The maxsize limits the characters or word count in our input field to 10 .While the pattern makes sure no <> makes it in.
Rather than using html entities the CTF used pattern attribute .While on contary nairaland decides to pay for an intrusion detection system to do the work.So by deleting the maxsize and pattern attribute in inspect element with there values.We are able to pass in < or > sign that a good news for us as we would be able to pass up our payload

I don't understand any damn it but I'm following cause I might catch up later

Runningwater:
I don't understand any damn it but I'm following cause I might catch up later

please kindly wait till i finnish.and you cant understand if you dont have vast knowledge in html and js.

On a contary we are now able to input > and < less than sides respectively.As you can see it get echoed back to our page each time we enter "Add link" button.

-As you can see the highlighted blue element in our page on inspect element.The CTF had encoded our payload with the html entities so it won't work.I have no control over that that as the script is not inducluded directly rather the JavaScript behind the 'Add Link' button was linked to the source.So sad our payload won't work let give up hope

Don't be too sad there is still hope to get our self xss payload to work.If you remember what I told you about html entities you would remember that &lt; also means < ,so by changing the entities &lt and &gt in the previous post to their corresponding html <> in the img tag as it is highlighted below.And saving it let see if that would work

#END OF LEVEL 1.
WE GOT THE XSS WORKING .....HURRAY HAPPY HACKING.

#Post tutorial talk .
1.We could clearly see why the adage never trust a user input comes to play.Assuming those links where to be saved in a data base it would not work the way we have the CTF but it would be similar we would just have to bypass html special entities by changing the characters encoding from utf8 to utf7.That would have caused even the biggest tech companies tears.
2.We could see that this is a teaching apporach to solving CTF as I aim to help my begginers freinds LOL
NOTE:THIS IS A WALK THROUGH AND BOTH A TUTORIAL.SO THE USE OF FANCYING SECOND PERSON PRONOUN COMES TO PLAY.YOU CAN ASK QUESTIONS BELLOW BUT MAKE IT CONSTRUCTIVE.
I hear by invites ryan.fahey to go through this thread .THANKS TO YOU ALL

Collinz2
IceLip
ev4real

I'd love to test it on my own but my fucking elder brother travelled with the only lappy i am using and now i am force to learn marine engineering. But that wont stop me from learning ethical hacking. Kodus to u bro keep it up.

Following.........

Collinz2:
I'd love to test it on my own but my fucking elder brother travelled with the only lappy i am using and now i am force to learn marine engineering. But that wont stop me from learning ethical hacking. Kodus to u bro keep it up.

Following.........

Lol bro

nurain150:
Look at the hint.
http://ctf.infosecinstitute.com/ctf2/exercises/ex1.php.

The link you gave is giving a 404 error.

You can always test your hacking skills on bwapp

darkdenizen:


The link you gave is giving a 404 error.

You can always test your hacking skills on bwapp

This is a CTF bro...not bwapp or mutilidae they are two different things

nurain150:

This is a CTF bro...not bwapp or mutilidae they are two different things

What's the difference cos I can't even view the site you posted

nurain150:

please kindly wait till i finnish.and you cant understand if you dont have vast knowledge in html and js.

I have knowledge in HTML and J's. Not just in depth

nurain150:

please kindly wait till i finnish.and you cant understand if you dont have vast knowledge in html and js.

Okay

darkdenizen:


What's the difference cos I can't even view the site you posted

Google could be of help sir.CTF is a challenge to run on live server ranging from sever to all client side vulnerability.Mutilidae are not CTF they don't award bounty.They don't take any other form of hacking other than web pentesting.Infact you shouldn't be asking me this.This is the least question I would have expected from you.As a vulnerability researcher

Runningwater:

I have knowledge in HTML and J's. Not just in depth

I fear then broad your knowledge until that this is a simple thing anway Self XS$.Just put more effort bro