Juice Shop being a retail site, we can host some promotional or introductory video regarding the site. This video will have subtitles which we can make prone to XSS, as described in:
https://hackerone.com/reports/88508
https://www.openbugbounty.org/reports/92115/
We can make an option there to report incorrect subs and ask the user to upload their own sub file. The user can implant the injection code in the file and then the website will be prone to xss. We can make it more difficult by employing few sanitizations and a loophole only which would work. Your views on this, @bkimminich, @J12934, @CaptainFreak?
That is a great idea, but it might just be impossible to _customize_ properly because we cannot expect everyone to make their own custom video with custom yet vulnerable subtitles... If we can address this somehow, then it'd be really cool!
The video and the 'safe' subtitle will be a part of the website. The attackers' task would be to identify that the subtitle is vulnerable and can be XSSed. So he has to only prepare/edit the subs.srt file for this challenge and upload it.
Apart from this, I was thinking mainly of these kinds of videos:
@bkimminich? ^
Having a completely generic sales video with stock photo people but no reference to the business whatsoever would be kind of fun... But also a bit much work to make... 馃榿
Yep definitely :+1: , this would make the challenge portable for different installations too, without much work. I will work a bit on the challenge flow and post it here.
I think I've got it: Let's have a video of @braimee's Juice Shop jingle pre-alpha-version with subtitles somewhere embedded - either hidden as a tier 3 easter egg challenge or just plain on the _About_ page! We then make the video file/URL and the subtitle file/URL configurable. For the 7MS theme it's not necessary as it's the artist behind the jingle. And for Mozilla and BodgeIt Store we just also leave it as is unless someone wants to volunteer to come up with something dedicated for these themes. For any custom theme the author can decide to roll with our jingle video or invest time into something fancy and individual. If we actually go for a hidden placement of the video as _Easter Egg Tier 3_ challenge, it wouldn't even matter that much for theming as these kinds of challenges are typically not shown in corporate awareness trainings, for which theming is mostly relevant.
Jingle file and lyrics can be found here: https://github.com/braimee/bpatty/issues/13#issuecomment-439139410 - For starters we could just have an all-black video with just the subtitles. If the underlying _XSS Tier 3.5_ (or whatever) challenge works fine, then we hide the video in some cool way for that extra _Easter Egg Tier 3_ challenge.
Fixed some remaining issues with 711540e and it works perfectly now!
This thread has been automatically locked because it has not had recent activity after it was closed. :lock: Please open a new issue for regressions or related bugs.