$25k GitHub account takeover & justCTF 2023 CSRF+XSS writeup

00:00

In a sense, every single security vulnerability

00:02

comes from a developer making some wrong assumption.

00:06

Just the difference is one time,

00:09

it's just a mistake by the developer

00:11

to make this assumption.

00:12

And another time, frameworks do something so strange

00:16

that it's hard to even blame anyone

00:19

for not understanding what happened.

00:21

In this video, I will show you two examples like this

00:24

based on which I created a CTF challenge,

00:28

which was actually inspired by a reward $25,000

00:32

account takeover on GitHub.

00:34

Enjoy.

00:36

When you create a new route in a web application,

00:39

you usually, regardless of the framework

00:41

or the programming language, do something like this.

00:44

You specify the path, you specify the methods,

00:47

and you specify the function

00:49

that wants to serve this particular request.

00:52

Sometimes you may want to create different functions

00:55

to handle different methods,

00:57

but you can also handle different methods

00:59

within the same function,

01:01

just you have an if statement inside

01:03

to serve something else for the get

01:05

to just serve a static response

01:07

and to actually process some parameters

01:10

and make some changes if the request is post,

01:12

put, delete, or whatever.

01:14

Also, the implicit difference that you cannot see here

01:18

is the CSRF protection.

01:21

Both GitHub and my CTF task used middleware

01:24

to protect against CSRFs,

01:27

and the way it works is it automatically requires

01:30

the CSRF token for all post, put, delete,

01:34

and other requests that are supposed to change

01:36

something on the server,

01:38

and the CSRF protection is not required

01:41

for requests like get

01:42

that are only supposed to serve the response.

01:45

Because of this, even with SameSite=None cookies,

01:49

you couldn't reach this block without a proper CSRF token.

01:54

If you could, in GitHub,

01:56

it would allow you to take over the account,

01:58

and in my CTF task, you would have to also exploit

02:02

the XSS, to which I'll get later in this video.

02:06

Just the question is how to do it,

02:09

and I'll get to answer it in a second,

02:11

but before I do, I'd like to invite you

02:13

to take part in this year's CTF organized by my team,

02:17

justCatTheFish.

02:18

The task I'm showing you is my task from last year.

02:21

Of course, for this year, I have a new one,

02:23

and I promise you, it is a fun one,

02:26

so you should definitely try.

02:28

And apart from this, my teammates have also prepared

02:30

amazing, amazing tasks,

02:32

so you should definitely challenge yourself,

02:34

because it's an amazing way to develop your hacking skills.

02:38

The online teaser starts on 15th June and lasts 24 hours.

02:43

The link is in the description.

02:45

I'd also like to thank our sponsors,

02:47

Trail of Bits, OtterSec, HexRays, and SECFORCE

02:51

for making it possible.

02:52

We have links to sponsors in the description,

02:54

and remember, by checking them out,

02:56

you support both me and my team.

02:59

With this said, let's go back to our task.

03:02

The trick is to use the head method,

03:05

and you may ask, what head method?

03:07

We can see in the controller,

03:08

it's only supposed to route get and post,

03:11

so how on earth do you get a head method here?

03:14

But the thing is, a lot of frameworks on the routing stage

03:18

treat head the same way as they treat get,

03:21

because the logic is head will be the same thing as get,

03:24

just the body of the response will be stripped

03:27

before sending it to the client.

03:29

So the head method will also be routed to the same function,

03:33

but at this stage, with this if statement,

03:37

it is no longer true.

03:38

At this stage, head and get are separate methods,

03:41

so if you have an if statement

03:44

that checks if the method is get,

03:46

it will also be false for the head method,

03:50

which means the head method will not be,

03:53

will not require the CSRF protection,

03:56

yet you can get to this block down there.

03:59

And yes, we do not have the request body,

04:02

but the way parameters are processed,

04:04

it is equivalent to have the request body with a post

04:08

and to have URL parameters of a head.

04:11

And this way, you could take over account in GitHub,

04:15

and in my task, you could change the description

04:19

where you had to exploit an XSS.

04:21

And let's now take a look at it,

04:22

because there is some robust, almost robust sanitization.

04:28

And this is the code that was used

04:30

to sanitize the description, and it is quite aggressive.

04:33

It only allows a few basic tags with no attributes.

04:37

And to my knowledge, you cannot execute JavaScript code

04:40

if you cannot use either a script tag or some attributes.

04:45

But this is not where the mistake was made.

04:48

The mistake was made a few lines above this,

04:51

here, when the code was not parsed, but tokenized.

04:56

And if you are confused as to what on earth

04:59

is the difference between tokenizing and parsing,

05:01

I don't blame you.

05:02

I also don't blame developers

05:04

that do not know this difference,

05:06

because most Stack Overflow answers are confused as well.

05:11

Well, the difference between tokenizer and a parser

05:15

with a simple HTML will be none.

05:17

If you have a simple code like this,

05:19

the outcome would be the same.

05:22

But it becomes confusing when you introduce HTML namespaces,

05:26

because every HTML tag has a namespace.

05:30

Most of them, in most websites that we use,

05:33

are just in the HTML namespace.

05:35

But within the HTML, you can also embed objects

05:39

from a math or SVG namespace.

05:41

And the thing is, the same tag can behave differently

05:45

in HTML namespace and in SVG namespace.

05:48

For example, the text area tag in the HTML namespace

05:52

can only contain text inside.

05:54

So this code will not work.

05:56

You can put any XSS payload from the world,

06:00

and it will not execute until you close the textarea tag.

06:04

Because of this, according to the rules I've shown you

06:07

before, this payload is fine,

06:09

because even though it looks like so,

06:12

it does not contain the script tag.

06:14

It only contains a text that looks like the script tag.

06:18

But this stops being true when we wrap this in the SVG tag,

06:22

which changes the namespace.

06:24

And this is when we finally get to the difference

06:27

between the tokenizer and the parser.

06:29

The parser will apply these namespace rules to this,

06:34

and we'll see the script tag being inside.

06:37

The tokenizer will ignore the namespace,

06:40

so it will still not see the XSS payload here.

06:43

The browser, of course, parses our HTML,

06:47

so this code will look innocent to the sanitizer,

06:51

but it will execute in the browser,

06:53

thus giving you the XSS.

06:56

Once you had this, you could easily exfiltrate the flag,

06:59

so this would be the final payload that you had to use.

07:02

Last year, nine teams found a solution to my task,

07:06

and we believe this year you can be one of them.

07:09

Challenge yourself by participating in the CTF.

07:12

The link is in the description.

07:14

In the meantime, if you want to check another video

07:17

with a CTF task, check out my write-up

07:20

to LiveOverflow's SQL injection task.

07:23

The link is on the screen right now.

07:25

For now, thank you for watching, and goodbye.