Juice-shop: Video subtitles based challenge

Created on 18 Mar 2019  路  8Comments  路  Source: bkimminich/juice-shop

Juice Shop being a retail site, we can host some promotional or introductory video regarding the site. This video will have subtitles which we can make prone to XSS, as described in:
https://hackerone.com/reports/88508
https://www.openbugbounty.org/reports/92115/
We can make an option there to report incorrect subs and ask the user to upload their own sub file. The user can implant the injection code in the file and then the website will be prone to xss. We can make it more difficult by employing few sanitizations and a loophole only which would work. Your views on this, @bkimminich, @J12934, @CaptainFreak?

challenge

All 8 comments

That is a great idea, but it might just be impossible to _customize_ properly because we cannot expect everyone to make their own custom video with custom yet vulnerable subtitles... If we can address this somehow, then it'd be really cool!

The video and the 'safe' subtitle will be a part of the website. The attackers' task would be to identify that the subtitle is vulnerable and can be XSSed. So he has to only prepare/edit the subs.srt file for this challenge and upload it.
Apart from this, I was thinking mainly of these kinds of videos:

  • An animated sequence, campaigning about juice-shop. It can be made kind of weird to divert the attention from the finer details of the video. These kinds of videos can fit with any kind of narration and hence any subtitles.
  • Or we can make a mascot speak continually in the video, and then the subtitle can be anything(depends if anyone wants custom subs for their ctf.) Here we can make the video content weird again to divert the attention.

@bkimminich? ^

Having a completely generic sales video with stock photo people but no reference to the business whatsoever would be kind of fun... But also a bit much work to make... 馃榿

Yep definitely :+1: , this would make the challenge portable for different installations too, without much work. I will work a bit on the challenge flow and post it here.

I think I've got it: Let's have a video of @braimee's Juice Shop jingle pre-alpha-version with subtitles somewhere embedded - either hidden as a tier 3 easter egg challenge or just plain on the _About_ page! We then make the video file/URL and the subtitle file/URL configurable. For the 7MS theme it's not necessary as it's the artist behind the jingle. And for Mozilla and BodgeIt Store we just also leave it as is unless someone wants to volunteer to come up with something dedicated for these themes. For any custom theme the author can decide to roll with our jingle video or invest time into something fancy and individual. If we actually go for a hidden placement of the video as _Easter Egg Tier 3_ challenge, it wouldn't even matter that much for theming as these kinds of challenges are typically not shown in corporate awareness trainings, for which theming is mostly relevant.

Jingle file and lyrics can be found here: https://github.com/braimee/bpatty/issues/13#issuecomment-439139410 - For starters we could just have an all-black video with just the subtitles. If the underlying _XSS Tier 3.5_ (or whatever) challenge works fine, then we hide the video in some cool way for that extra _Easter Egg Tier 3_ challenge.

Fixed some remaining issues with 711540e and it works perfectly now!

This thread has been automatically locked because it has not had recent activity after it was closed. :lock: Please open a new issue for regressions or related bugs.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

GraoMelo picture GraoMelo  路  7Comments

bkimminich picture bkimminich  路  7Comments

bkimminich picture bkimminich  路  5Comments

bkimminich picture bkimminich  路  6Comments

RezaRahmati picture RezaRahmati  路  4Comments