Fix juice-shop#877 remaining issues

- prescribe actual attack payload - remove check for closing tags - add working payload to test ZIP - restore original file on server start
qauni · Apr 2, 2019 · 711540e · 711540e
1 parent 547a5e1
commit 711540e
Show file tree

Hide file tree

Showing 8 changed files with 70 additions and 36 deletions.
diff --git a/data/static/challenges.yml b/data/static/challenges.yml
@@ -634,7 +634,7 @@
 -
   name: 'XSS Tier 6'
   category: 'XSS'
-  description: 'Perform an XSS attack with <code>&lt;script&gt;alert(`xss`)&lt;/script&gt;</code> on our promotional video page.'
+  description: 'Embed the XSS attack <code>&lt;/script&gt;&lt;script&gt;alert(`xss`)&lt;/script&gt;</code> into one of our marketing collaterals.'
   difficulty: 6
   hint: 'You have to reuse the vulnerability behind one other 6-star challenge to be able to solve this one.'
   hintUrl: ''

diff --git a/data/static/jingleSubtitles.vtt b/data/static/jingleSubtitles.vtt
@@ -0,0 +1,39 @@
+WEBVTT
+
+0
+00:00:00.000 --> 00:00:00.300
+...
+
+1
+00:00:00.300 --> 00:00:05.200
+When you want to shop online then you had better be sure
+
+2
+00:00:05.200 --> 00:00:09.500
+The experience is safe and also secure
+
+3
+00:00:09.500 --> 00:00:15.200
+Don't want to let no SQLi or cross-site scripting ruin your day
+
+4
+00:00:15.200 --> 00:00:20.230
+No, you want to break into a joyous song and say:
+
+5
+00:00:20.230 --> 00:00:25.500
+Juice Shop!
+Juice Shop!
+
+6
+00:00:25.500 --> 00:00:31.050
+You can order tasty beverages in any quantity
+
+7
+00:00:31.050 --> 00:00:35.400
+Juice Shop!
+Juice Shop!
+
+8
+00:00:35.400 --> 00:00:42.000
+Just don't test the site with Burp Suite or you won't like what you see
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
diff --git a/lib/startup/restoreOriginalLegalInformation.js b/lib/startup/restoreOriginalLegalInformation.js
diff --git a/lib/startup/restoreOverwrittenFilesWithOriginals.js b/lib/startup/restoreOverwrittenFilesWithOriginals.js
@@ -0,0 +1,9 @@
+const path = require('path')
+const fs = require('fs-extra')
+
+const restoreOverwrittenFilesWithOriginals = () => {
+  fs.copyFileSync(path.resolve(__dirname, '../../data/static/legal.md'), path.resolve(__dirname, '../../ftp/legal.md'))
+  fs.copyFileSync(path.resolve(__dirname, '../../data/static/jingleSubtitles.vtt'), path.resolve(__dirname, '../../frontend/dist/frontend/assets/public/subtitles/jingleSubtitles.vtt'))
+}
+
+module.exports = restoreOverwrittenFilesWithOriginals
diff --git a/routes/videoHandler.js b/routes/videoHandler.js
@@ -42,13 +42,7 @@ exports.promotionVideo = () => {
       if (err) throw err
       let jadeTemplate = buf.toString()
       let subs = getSubsFromFile()
-      let subsChecker = subs
-      let closeTagCount = 0
-      if (subsChecker.match(`</script>`)) {
-        closeTagCount++
-        subsChecker = subsChecker.replace(`</script>`, ``)
-      }
-      if (utils.contains(subsChecker, `<script>alert(\`xss\`)</script>`) && closeTagCount >= 1) {
+      if (utils.contains(subs, `</script><script>alert(\`xss\`)</script>`)) {
         if (utils.notSolved(challenges.videoXssChallenge)) {
           utils.solve(challenges.videoXssChallenge)
         }

diff --git a/server.js b/server.js
@@ -77,7 +77,7 @@ require('./lib/startup/validateDependencies')({ packageDir: './frontend' })
 require('./lib/startup/validatePreconditions')()
 require('./lib/startup/validateConfig')()
 require('./lib/startup/cleanupFtpFolder')()
-require('./lib/startup/restoreOriginalLegalInformation')()
+require('./lib/startup/restoreOverwrittenFilesWithOriginals')()
 
 /* Locals */
 app.locals.captchaId = 0

diff --git a/test/files/videoExploit.zip b/test/files/videoExploit.zip