Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Mastodon is an open source alternative to Twitter. With Elon Musk taking over Twitter, many people have flocked to this instead. Gareth decided to take a look at the security of the platform.

The social network allows you to enable HTML! Sounds like XSS by default - but the Markdown/HTML allowed was pretty limited. Bold tags and others were allowed but not much else. The author found the source code for parsing the HTML elements and started to look for bugs.

The application allowed for the title attribute to be put into a tag. While playing around with double quotes, single quotes and quote-less attributes, they were unable to escape. Now, when combining find and replace with HTML parsing, is where things go bad. Gareth learned that the text :verified: would be replaced by the verified icon (blue checkmark). What happens if we put this into the middle of the title attribute?

The code below would magically get transformed an break out of the HTML when replaced! Below:

<abbr title="<a href='https://blah'>:verified:</a> 
   <iframe src=//garethheyes.co.uk/>"
> 

After:

<abbr title="<a href='https://blah</a>'><img draggable=" false" ... ><
iframe src=//garethheyes.co.uk/>

If you look closely, the double quote from the swapped in text will finish our HTML! Now, our iFrame will get rendered. What can we do with an HTML injection bug and a strict CSP?

The final step of the attack was creating a legitimate looking login page via injecting an iFrame. What's interesting is that the form would autofil in Chrome! Additionally, we can make the input invisible and give them a button to click which would send form with the credentials. Pretty neat phishing attack!