Here are a few magical features that I recently encountered. Let’s start with a few challenges:
Here are a few magical features that I recently encountered. Let’s start with a few challenges:
Last month, I created an XSS challenge and hosted it on my GitHub: https://aszx87410.github.io/xss-challenge/notes/
This is the writeup about the challenge and solutions, including intended and unintended.
I will start from the intended one.
There were two difficult Web questions this time. I solved one, and the other one was unsolvable, but the solution is worth a look. Here’s a brief summary.
If you want to generate a new window on a webpage, there are probably only two options: one is to embed resources on the same page using tags such as iframe
, embed
, and object
, and the other is to use window.open
to open a new window.
As a front-end developer, I believe that everyone is familiar with these. You may have used iframe
to embed third-party web pages or widgets, or used window.open
to open a new window and communicate with the original window through window.opener
.
However, from a security perspective, there are many interesting things about iframes, which often appear in the real world or in CTF competitions. Therefore, I want to record some of the features I learned recently through this article.
ERPNext is a very popular open-source ERP(Enterprise Resource Planning) software built on Frappe Framework.
Last December, we found two vulnerabilities in the latest version of ERPNext: SSRF(Server-Side Request Forgery) and account takeover via XSS. Both vulnerabilities require a low-privileged authenticated user to perform the attack.
By exploiting SSRF, a malicious actor could steal the credentials from cloud metadata and may lead to RCE. For XSS, it’s possible to take over others’ accounts.
We reported both vulnerabilities on November 25th, 2021. At the time of writing, there is still no fix for those two issues, so we decided to publish the details to inform the public about the risk.
Amelia is a WordPress plugin developed by TMS that allows you to easily add a booking system to your WordPress website, such as for clinics, hair salons, or tutoring, making it ideal for setting up a simple reservation system. According to official WordPress statistics, approximately 40,000 websites have installed this plugin.
In early March, I conducted some research on the source code of the Amelia system and found three vulnerabilities that all involve sensitive information disclosure:
CVE-2022-0720
Amelia < 1.0.47 - Customer+ Arbitrary Appointments Update and Sensitive Data Disclosure (CVSS 6.3)CVE-2022-0825
Amelia < 1.0.49 - Customer+ Arbitrary Appointments Status Update (CVSS 6.3)CVE-2022-0837
Amelia < 1.0.48 - Customer+ SMS Service Abuse and Sensitive Data Disclosure (CVSS 5.4)If attackers exploit these vulnerabilities, they can obtain all consumer data, including names, phone numbers, and reservation information.
Below, I will briefly introduce the architecture of Amelia and the details of these three vulnerabilities.
Amelia is a WordPress plugin for booking systems developed by TNS. With 40,000+ active installations, it has been used for the clinic, hair salon, tutor, and so on.
In March, we studied the source code of Amelia and found three vulnerabilities in the end:
CVE-2022-0720
Amelia < 1.0.47 - Customer+ Arbitrary Appointments Update and Sensitive Data Disclosure (CVSS 6.3)CVE-2022-0825
Amelia < 1.0.49 - Customer+ Arbitrary Appointments Status Update (CVSS 6.3)CVE-2022-0837
Amelia < 1.0.48 - Customer+ SMS Service Abuse and Sensitive Data Disclosure (CVSS 5.4)By exploiting these vulnerabilities, a malicious actor could get all the customer’s data, including name, phone, and booking details.
In this article, I will talk about the code structure of Amelia and the details of three vulnerabilities.
I participated in LINE CTF 2022 with the team Water Paddler and we ranked seventh with the help of my teammates. I only contributed to one question, while the others were solved by my teammates or stuck. This article briefly summarizes the solutions to each question, most of which are referenced from LINE CTF 2022 Writeups by maple3142.
Last weekend, in addition to the SUSCTF 2022 I wrote about in my previous post, there was also another TSJ CTF with many good challenges. Due to time constraints, I only chose the ones that interested me more, and this is the Nim Notes challenge mentioned in the title. I didn’t manage to solve it in the end (I was far from it), but the solution was very interesting, so I’m writing this post to record the official solution.
The author’s (maple3142) writeup is here: https://github.com/maple3142/My-CTF-Challenges/tree/master/TSJ%20CTF%202022/Nim%20Notes
This holiday there were several CTFs, and I participated in SUSCTF 2022 with team SU. This post briefly records my experience with several of the challenges I participated in.
The list of challenges I will discuss is as follows: