Juice-shop: XSS Tier 5 challenge description unclear/misleading

Created on 11 Feb 2019  ·  11Comments  ·  Source: bkimminich/juice-shop

I am playing shop's challs recently. This is a chall I am more confused about. I haven't seen a question like this. According to the chall's description Perform a *persisted* XSS attack with <iframe src="javascript:alert('xss')"> through an HTTP header., I think it is more likely perfrom a reflected xss through an HTTP header.


Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

challenge documentation

All 11 comments

I saw the earlier description of xss tier 5. I think the earlier version is better.

You need to chain a self-xss with another low impact bug to escalate it to other users.

I think this is more understandable. After I read the current version, I tried to directly find something in http header is vulnerable to use to perfrom the persisted xss. After I think about it, I think it's impossible to perform the persisted xss through an HTTP header directly. After I read the earlier version description, I have a clearer understanding of the chall.

Or I didn't get the new skill about this chall. Looking forward to your reply. :)

@CaptainFreak @J12934 What do you think we should do to improve the challenge description and hint?

Mhhh i think the client side implementation got lost in in the angular upgrade.

The challenge can still be solved if you know what you are supposed to to, but it is pretty much impossible to find.

:godmode: Warning Spoilers:

The challenge is about a lastLoginIp value which gets displayed back to the user to check that nobody else has logged in with their account. (The feature was initially added here: https://github.com/bkimminich/juice-shop/commit/6c48d9a0cd10889980c301dc199395ac6a7bb313#diff-b26e7266ea5838968bf3df2af0e1126a)

To fix this we should add the display back into the application. We should find a fitting place for it, it was previously displayed in the navbar, but that doesnt seem fitting for it anymore with the latest navbar tweeks.

How about the "Change Password" or "User Profile" screens? Where will 2FA setup be done later?

Am 21. Februar 2019 18:35:43 MEZ schrieb Jannik Hollenbach notifications@github.com:

:godmode: Warning Spoilers:

The challenge is about a lastLoginIp value which gets displayed back
to the user to check that nobody else has logged in with their account.
(The feature was initially added here:
https://github.com/bkimminich/juice-shop/commit/6c48d9a0cd10889980c301dc199395ac6a7bb313#diff-b26e7266ea5838968bf3df2af0e1126a)

To fix this we should add the display back into the application. We
should find a fitting place for it, it was previously displayed in the
navbar, but that doesnt seem fitting for it anymore with the latest
navbar tweeks.

--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/bkimminich/juice-shop/issues/804#issuecomment-466092520

I was thinking of adding something like a „Privacy and Security“ screen with a sidenav (like github settings) for the related setting like:

  • change password
  • 2FA
  • request data export
  • Access log

Yes. When I am playing juice-shop, I find all the description in the pwning-juiceshop book that is not displayed in the juice-shop. For example, the chall Log in with Amy's original user credentials displayed in the pwning-juiceshop is attached with a picture. But I don't find the picture in the juice-shop. So I have to read the hints of this chall.

Maybe the picture is well-known. Just I don't know the picture. : )

Do you mean the picture of the character Amy from the Futurama TV show? That is not in the Juice Shop, true. It's part of the challenge to get the Futurama reference.

But actually we could add her picture to her profile page to make it a bit easier.

@bkimminich Yes. I'm sorry for my bad expression. I suggest it is better to add some description in the pwning-juiceshop to the juice-shop. It is more understandable.

Opened #867 to fix the missing client-side of _XSS Tier5_.

This thread has been automatically locked because it has not had recent activity after it was closed. :lock: Please open a new issue for regressions or related bugs.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

bkimminich picture bkimminich  ·  6Comments

bkimminich picture bkimminich  ·  6Comments

bkimminich picture bkimminich  ·  5Comments

sushi2k picture sushi2k  ·  5Comments

cnotin picture cnotin  ·  5Comments