├── composer.json
├── logout.php
├── trigger_fake_admin.php
├── mysql.php
├── dbdata.sql
├── trigger_fake_admin_2.php
├── app.json
├── authenticate.php
├── composer.lock
├── README.md
├── setup_mysql.php
├── fake_admin_browser.js
├── register.php
├── login.php
└── index.php


/composer.json:
--------------------------------------------------------------------------------
1 | {
2 |   "require": {
3 |     "ext-mysql": "*",
4 |     "ext-mbstring":"*"
5 |   }
6 | }


--------------------------------------------------------------------------------
/logout.php:
--------------------------------------------------------------------------------
1 | <?php
2 | session_start();
3 | session_unset();
4 | session_destroy();
5 | header("Location: login.php");
6 | 


--------------------------------------------------------------------------------
/trigger_fake_admin.php:
--------------------------------------------------------------------------------
1 | The trap is laid! Waiting for an admin to visit your profile...
2 | <br><br>
3 | <script>
4 |     window.location.href="trigger_fake_admin_2.php?id=<?=$_GET['id']?>";
5 | </script>
6 | 
7 | 


--------------------------------------------------------------------------------
/mysql.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $mysql_string = getenv('CLEARDB_DATABASE_URL');
3 | $mysql_url = parse_url($mysql_string);
4 | 
5 | $c = mysql_connect($mysql_url['host'], $mysql_url['user'], $mysql_url['pass']) or die(mysql_error());
6 | $db_name = str_replace("/", "", $mysql_url['path']);
7 | mysql_select_db($db_name, $c);


--------------------------------------------------------------------------------
/dbdata.sql:
--------------------------------------------------------------------------------
1 | DROP TABLE IF EXISTS `users`;
2 | CREATE TABLE `users` (
3 |   `id` int(11) NOT NULL AUTO_INCREMENT,
4 |   `username` varchar(20) NOT NULL DEFAULT '',
5 |   `password` varchar(255) NOT NULL DEFAULT '',
6 |   `profile_desc` longtext NOT NULL,
7 |   PRIMARY KEY (`id`)
8 | ) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;


--------------------------------------------------------------------------------
/trigger_fake_admin_2.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | $base_url = 'http' . (isset($_SERVER['HTTPS']) ? 's' : '') . '://' . "{$_SERVER['HTTP_HOST']}/";
 4 | 
 5 | $results = shell_exec('phantomjs fake_admin_browser.js --url '.$base_url.' --password '.getenv('CTF_FLAG').' --profileid '.$_GET['id']);
 6 | print "<br><br>";
 7 | print "We caught an admin! Our XSS caught this information via alert():";
 8 | print "<hr>";
 9 | print nl2br($results);
10 | print "<hr>";


--------------------------------------------------------------------------------
/app.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "env": {
 3 |     "CTF_FLAG": "PUT-FLAG-HERE"
 4 |   },
 5 |   "addons": [
 6 |     "papertrail",
 7 |     "cleardb"
 8 |   ],
 9 |   "success_url": "/index.php",
10 |   "scripts": {
11 |     "postdeploy": "php setup_mysql.php"
12 |   },
13 |   "buildpacks": [
14 |     {
15 |       "url": "https://github.com/heroku/heroku-buildpack-php"
16 |     },
17 |     {
18 |       "url": "https://github.com/stomita/heroku-buildpack-phantomjs"
19 |     }
20 |   ]
21 | }
22 | 


--------------------------------------------------------------------------------
/authenticate.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | include "mysql.php";
 4 | 
 5 | $username = mysql_real_escape_string($_POST['username']);
 6 | $password = md5($_POST['password']);
 7 | $uq = mysql_query("SELECT `id`, `password` FROM `users` WHERE `username` = '$username' AND `password` = '$password'", $c);
 8 | if (mysql_num_rows($uq) == 0)
 9 | {
10 |     die("Invalid username or password!<br /><a href='login.php'>&gt; Back</a>");
11 | }
12 | else
13 | {
14 |     $mem = mysql_fetch_assoc($uq);
15 |     $_SESSION['id'] = $mem['id'];
16 |     setcookie("hint", 'use-these-cookies-to-login-as-admin', time()+36000);
17 |     header("Location: /index.php");
18 |     exit;
19 | }
20 | 


--------------------------------------------------------------------------------
/composer.lock:
--------------------------------------------------------------------------------
 1 | {
 2 |     "_readme": [
 3 |         "This file locks the dependencies of your project to a known state",
 4 |         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
 5 |         "This file is @generated automatically"
 6 |     ],
 7 |     "hash": "4032f9a7678ad10ae1a13e7369f85d34",
 8 |     "content-hash": "a243a4e7654fee2a753e9fd9e0f4aec1",
 9 |     "packages": [],
10 |     "packages-dev": [],
11 |     "aliases": [],
12 |     "minimum-stability": "stable",
13 |     "stability-flags": [],
14 |     "prefer-stable": false,
15 |     "prefer-lowest": false,
16 |     "platform": {
17 |         "ext-mysql": "*",
18 |         "ext-mbstring": "*"
19 |     },
20 |     "platform-dev": []
21 | }
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # XSS Cookie Stealing Challenge
 2 | 
 3 | Challenge: See if you can become logged in as the "admin" user.
 4 | 
 5 | Note that to do so, you'll need to create your own account and create an XSS attack on your user profile.
 6 | 
 7 | For purposes of this challenge, anything you successfully "alert()" in the admin's browser will be passed along to you. (Admin browser is simulated using phantomjs)
 8 | 
 9 | Deploy to your own Heroku instance with this button below, or try out our live demo [HERE](https://ctf-xss-challenge.herokuapp.com/) (not guaranteed to be up).
10 | 
11 | [![Deploy](https://www.herokucdn.com/deploy/button.png)](https://heroku.com/deploy)
12 | 
13 | Note that useful information for testing and debugging will be logged to the Papertrail app in your heroku instance. Open papertrail to view those streaming logs.
14 | 


--------------------------------------------------------------------------------
/setup_mysql.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | include "mysql.php";
 4 | $is = mysql_query("SELECT * FROM users", $c) or die(set_mysql());
 5 | 
 6 | function set_mysql() {
 7 |     //Only executed if table does not exist
 8 |     $c = mysql_connect($db_hostname, $db_username, $db_password);
 9 |     mysql_select_db($db_database, $c);
10 |     $e_db_hostname = addslashes($db_hostname);
11 |     $e_db_username = addslashes($db_username);
12 |     $e_db_password = addslashes($db_password);
13 |     $e_db_database = addslashes($db_database);
14 | 
15 |     $fo = fopen("dbdata.sql", "r");
16 |     $query = '';
17 |     $lines = explode("\n", fread($fo, 1024768));
18 |     fclose($fo);
19 |     foreach ($lines as $line)
20 |     {
21 |         if (!(strpos($line, "--") === 0) && trim($line) != '')
22 |         {
23 |             $query .= $line;
24 |             if (!(strpos($line, ";") === FALSE))
25 |             {
26 |                 mysql_query($query);
27 |                 $query = '';
28 |             }
29 |         }
30 |     }
31 | 
32 |     $adminpassword = md5(getenv('CTF_FLAG'));
33 |     mysql_query("INSERT INTO `users` VALUES (1,'admin','{$adminpassword}', '')");
34 | }


--------------------------------------------------------------------------------
/fake_admin_browser.js:
--------------------------------------------------------------------------------
 1 | // Locally: phantomjs fake_admin_browser.js --url test.com
 2 | // Heroku: /app/vendor/phantomjs/bin/phantomjs fake_admin_browser.js --url test.com
 3 | 
 4 | var system = require('system');
 5 | var base_url = "http://localhost:8888/";
 6 | var password = "";
 7 | var profileid = 0;
 8 | 
 9 | if (system.args.length === 1) {
10 |     console.log('Try to pass some args when invoking this script!');
11 | } else {
12 |     system.args.forEach(function (arg, i) {
13 |         if (i == 2) {
14 |             base_url = arg;
15 |         }
16 |         if (i == 4) {
17 |             password = arg;
18 |         }
19 |         if (i == 6) {
20 |             profileid = arg;
21 |         }
22 |     });
23 | }
24 | 
25 | function open_target_profile(profileid) {
26 |     var userprofilepage = require('webpage').create();
27 |     userprofilepage.onAlert = function(alertmsg) {
28 |         console.log(alertmsg);
29 |     }
30 |     userprofilepage.open(base_url+"index.php?id="+profileid, function (status) {
31 |         setTimeout(function(){
32 |             phantom.exit(0);
33 |         }, 3000);
34 |     });
35 | }
36 | 
37 | var loginpage = require('webpage').create();
38 | loginpage.open(base_url+'authenticate.php', 'post', 'username=admin&password='+password+'&save=OFF', function (status) {
39 | 
40 |     open_target_profile(profileid);
41 | });
42 | 


--------------------------------------------------------------------------------
/register.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | require "mysql.php";
 4 | ?>
 5 | 
 6 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 7 | <html xmlns="http://www.w3.org/1999/xhtml">
 8 | <head>
 9 | <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
10 | <title>breakthenet</title>
11 | </head>
12 | <body bgcolor="#C3C3C3">
13 | 
14 | <?
15 | if ($_POST['username'])
16 | {
17 |     $username = mysql_real_escape_string($_POST['username']);
18 |     $q = mysql_query("SELECT * FROM users WHERE username='$username'");
19 |     if (mysql_num_rows($q))
20 |     {
21 |         print "Username already in use. Choose another.";
22 |     }
23 |     else
24 |     {
25 |         mysql_query("INSERT INTO users (username, password) VALUES( '{$username}', md5('{$_POST['password']}'))");
26 |         print "You have signed up, enjoy the game.<br />&gt; <a href='login.php'>Login</a>";
27 |     }
28 | }
29 | else
30 | {
31 | 	?>
32 |     <h3>
33 |       Register
34 |     </h3>
35 |     <form action="register.php" method="post">
36 |       Username: <input type="text" name="username" maxlength="20" /><br />
37 | 	  <!-- Username max length of 20 enforced at the database level. Not sure if it actually throws an error though, so stop them on frontend. -->
38 |       Password: <input type="password" name="password" /><br />
39 |       <input type="submit" value="Submit" />
40 |     </form><br />
41 |     &gt; <a href='login.php'>Go Back</a>
42 | 	<?
43 | }
44 | ?>
45 | </body>
46 | </html>
47 | 


--------------------------------------------------------------------------------
/login.php:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 2 | <html xmlns="http://www.w3.org/1999/xhtml">
 3 | <head>
 4 | <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
 5 | <title>BreakTheNet</title>
 6 | </head>
 7 | <body bgcolor="#C3C3C3">
 8 |     <h3>
 9 |       &gt; BreakTheNet Log-In
10 |     </h3>
11 |     <table width="80%">
12 |       <tr>
13 |         <td width="50%">
14 |           <fieldset>
15 |             <legend>About BreakTheNet</legend>
16 |             An XSS challenge - see if you can become logged in as the "admin" user.<br><br>
17 |             Note that to do so, you'll need to create your own account and create an XSS attack on your user profile.<br><br>
18 |             For purposes of this challenge, anything you successfully "alert()" in the admin's browser will be passed along to you.<br><br>
19 |             Feel free to review the source code as part of the challenge <a href='https://github.com/breakthenet/CTF-XSS-Challenge'>here</a>.
20 |           </fieldset>
21 |         </td>
22 |         <td>
23 |           <fieldset>
24 |             <legend>Login</legend>
25 |             <form action="authenticate.php" method="post" name="login" id="login">
26 |               Username: <input type="text" name="username" /><br />
27 |               Password: <input type="password" name="password" /><br />
28 |               <input type="submit" value="Submit" />
29 |             </form>
30 |           </fieldset>
31 |         </td>
32 |       </tr>
33 |     </table><br />
34 |     <h3>
35 |       <a href='register.php'>REGISTER NOW!</a>
36 |     </h3><br />
37 |   </body>
38 | </html>
39 | 


--------------------------------------------------------------------------------
/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | $id = $_SESSION['id'];
 4 | if (!$id) {
 5 |     header("Location: login.php");
 6 |     exit;
 7 | }
 8 | header('X-XSS-Protection: 0');
 9 | include "mysql.php";
10 | 
11 | if($_POST['profile_desc']) {
12 |     $profile_desc = mysql_real_escape_string($_POST['profile_desc']);
13 |     mysql_query("UPDATE users SET profile_desc='$profile_desc' WHERE id=$id");
14 | }
15 | 
16 | if($_GET['id'] && $id == 1) {
17 |     //Admin uses this to browse to other people's profiles.
18 |     $id = $_GET['id'];
19 | }
20 | 
21 | $is = mysql_query("SELECT * FROM users WHERE id='{$id}'") or die(mysql_error());
22 | $ir = mysql_fetch_array($is);
23 | 
24 | ?>
25 | <style>
26 |     textarea {
27 |         width: 300px;
28 |         height: 150px;
29 |     }
30 | </style>
31 | <table border=0>
32 |     <tr><td>
33 |     <fieldset>
34 |       <legend><select disabled='disabled' alt='Only admins can view all players profiles'>
35 |         <option><?=$ir['username']?></option>
36 |     </select>'s Profile</legend>
37 |       <?=$ir['profile_desc']?>
38 |       <br><br>
39 |       <br><br>
40 |       <br><br>
41 |       <br><br>
42 |       <br><br>
43 |       <br><br>
44 |       <br><br>
45 |       <br><br>
46 |       <br><br>
47 |       <br><br>
48 |       <hr>
49 |       <?
50 |         if($ir['id'] == 1) {
51 |             $ctf_flag = getenv('CTF_FLAG');
52 |             print "<font color='green'>CTF Flag: ".$ctf_flag."</font>";
53 |         }
54 |         else {
55 |             print "<font color='red'>CTF Flag: [disabled] - Must be logged in as admin to access.</font>";
56 |         }
57 |       ?>
58 |     </fieldset>
59 | 
60 |     </td><td>
61 | 
62 |     <fieldset>
63 |       <legend>Update your Profile Description</legend>
64 |       <form action="index.php" method="post" name="login" id="login">
65 |         Current Value: <br>
66 |         <textarea id="profile_desc" name="profile_desc" rows=5 cols=10 /><?=$ir['profile_desc']?></textarea><br>
67 |         <input type="submit" value="Submit" />
68 |       </form>
69 |     </fieldset>
70 | 
71 |     <br><br><br>
72 |     <script>
73 |     function trigger_admin() {
74 |         window.open('trigger_fake_admin.php?id='+<?=$id?>, 'Admin Simulation', 'status=1, height=485, width=420, left=100, top=100, resizable=0');
75 |     }
76 |     </script>
77 |     <button onclick="trigger_admin()">Lay trap for admin to visit your profile...</button>
78 | 
79 |     <br><br><br>
80 |     &gt; <a href='logout.php'>LOGOUT</a>
81 |     </td></tr>
82 | </table>
83 | 


--------------------------------------------------------------------------------