-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
84 lines (78 loc) · 2.34 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
<!doctype html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="css/index.css" />
<title>Basic Chatroom</title>
<script src="/socket.io/socket.io.js"></script>
<style>
body {
font-family: monospace;
}
.info {
width:500px;
background-color: #EEEEFF;
padding: 10px;
border-left: 5px solid #666688;
margin-top: 0px;
}
h3 {
width: 500px;
background-color: #CCDDEE;
padding:10px;
text-align: center;
border-left: 5px solid #446688;
}
</style>
</head>
<body>
<div id="container">
<div id="messages"></div>
<p contenteditable id="input" style="overflow-x: auto;"></p>
</div>
<div id="rules">
<h3>Objective</h3>
<p class="info">
We, the officers, have logged into the chatroom with a secret username.
Your job is to steal our username. You must switch our screen to winner.html
and pass to winner.html your name and our username, making it display both.
</p>
<h3>Sub-Challenges</h3>
<p class="info">
Alert your name on everyone's device. <br />
(If you can do this, then you've figured out how to attack the system.)
</p>
<p class="info">
Redirect everyone's device to <a href="https://www.sethusenthil.com">Sethu's site</a><br />
(If you can do this, then you're almost done with the main challenge.)
</p>
<h3>Advice</h3>
<p class="info">
All the code is available <a href="https://github.com/SBCompSciClub/XSSDemo">here</a>.
Check it out if you need to scout for vulnerabilities or figure out how something works.
We recommend looking for edge cases in the filter, examining how data is written to the page,
and checking out <a href="https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet">this resource</a>
for tricks to circumvent naive XSS filters.
We will be providing hints every few minutes, so pay attention.
</p>
</div>
<script>
let socket = io();
let username = prompt("Enter a username: ");
let messageBox = document.querySelector("#messages");
let inputBox = document.querySelector("#input");
inputBox.onkeydown = (event)=>{
if(event.which === 13 || event.charCode === 13){
let message = inputBox.innerText;
inputBox.innerText = "";
socket.emit('message_sent', {
username: username,
body: message
});
}
}
socket.on('message_approved', (message)=>{
messageBox.innerHTML += message+'<br />'
});
</script>
</body>
</html>