Hey! Not your first time visiting our CTF Recaps? Go ahead and jump on down to the insights! If it is your first time, allow us to give a quick rundown of what these are. Wizer CTFs were launched to challenge developers to learn to think like a hacker in order to learn to code more securely. It's part of our new security awareness training we're designing focused on the dev team!
Once a challenge is retired the Wizer Wizard behind these creations - our very own CTO Itzik Spitzen - creates takeaways that provide clues into the challenge from the perspective of defending your script. Want to testdrive a CTF before reading the notes? Go ahead at wizer-ctf.com - it's free and there's something for all levels.
In this short challenge, we identify a common XSS bypass, which developers could easily miss.
Description of code
What’s wrong with that approach?
A word replace approach is not a good sanitization strategy, it is missing common bypass practices, which attackers love!
What would a successful XSS attack look like in this case?
- Choose a proven sanitization strategy:
After understanding the needs, Google it and use a proven sanitization strategy, in this case it would have been effective to sanitize the argument, which really shouldn't contain anything but letters and maybe numbers. Any regular expression which is validating the charecters in the argument, would be much prefered compared to a word replace.
- Deep links should be implemented as allow-lists:
For a close set of options, the argument shouldn't include anything but those valid options. Avoid planning for future flexibility, keep your code tight and open up options only when you need them.
Wanna join us on our next challenge? Sign up for our mailing list at wizer-ctf.com.