Skip to content

Commit e62fb0c

Browse files
CHYbetaCHYbeta
committed
Updates php/challenge-66.md
Auto commit by GitBook Editor
1 parent ea97b6d commit e62fb0c

File tree

2 files changed

+46
-0
lines changed

2 files changed

+46
-0
lines changed

SUMMARY.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,7 @@
6969
* [Challenge 63](php/challenge-63.md)
7070
* [Challenge 64](php/challenge-64.md)
7171
* [Challenge 65](php/challenge-65.md)
72+
* [Challenge 66](php/challenge-66.md)
7273

7374
## RUBY
7475

php/challenge-66.md

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
# Challenge
2+
```php
3+
// composer require "twig/twig"
4+
require 'vendor/autoload.php';
5+
6+
class Template {
7+
private $twig;
8+
9+
public function __construct() {
10+
$indexTemplate = '<img ' .
11+
'src="https://loremflickr.com/320/240">' .
12+
'<a href="{{link|escape}}">Next slide »</a>';
13+
14+
// Default twig setup, simulate loading
15+
// index.html file from disk
16+
$loader = new Twig\Loader\ArrayLoader([
17+
'index.html' => $indexTemplate
18+
]);
19+
$this->twig = new Twig\Environment($loader);
20+
}
21+
22+
public function getNexSlideUrl() {
23+
$nextSlide = $_GET['nextSlide'];
24+
return filter_var($nextSlide, FILTER_VALIDATE_URL);
25+
}
26+
27+
public function render() {
28+
echo $this->twig->render(
29+
'index.html',
30+
['link' => $this->getNexSlideUrl()]
31+
);
32+
}
33+
}
34+
35+
(new Template())->render();
36+
```
37+
38+
# Solution
39+
The challenge contains a cross-site scripting vulnerability in line 26. There are two filters that try to assure that the link that is passed to the <a> tag is a genuine URL. First, the filter_var() function in line 22 checks if it is a valid URL. Then, Twig's template escaping is used in line 10 that avoids breaking out of the href attribute.
40+
41+
The vulnerability can still be exploited with the following URL: ?nextSlide=javascript://comment%250aalert(1).
42+
The payload does not involve any markup characters that would be affected by Twig's escaping. At the same time, it is a valid URL for filter_var(). We used a JavaScript protocol handler, followed by a JavaScript comment introduced with // and then the actual JS payload follows on a newline. When the link is clicked, the JavaScript payload is executed in the browser of the victim.
43+
44+
# Refference
45+
+ php-security-calendar-2017 Day 2 - Twig

0 commit comments

Comments
 (0)