Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Chess.com is a very popular online Chess platform. The author decided to look into this site for security issues.

On the platform, you can add friends. When reviewing this request, it is a GET request to a registration invite with a long hash. So, if a user were to click on this link then they would accept the friend request.

To make this more obtainable, they learned you could add an image link to your profile. This image link could be a direct link on chess.com! So, the URL for the link could be easily change to the friend request URL, which when loaded into an image on the profile would force the person to accept the request. Pretty neat! When the developers tried to fix this, it was easy to bypass via a domain redirect.

They wanted to find true XSS on the website, which led them to a TinyMCE editor. This has a configuration that they started reading. They noticed that the background-image stly attribute was in the allowlist. While adding this attribute, a double quote had been added to the URL, resulting in a context break!

Since the double quote was added, this led to an escape of the given context. They could add extra attributes for the tag using this. They were able to add in a onload tag with JavaScript in it! However, not many characters were allowed to be used like parens or backticks.

The author goes through a long process of enumerating the restrictions of the exploit. Only being able to use a ? once, dots being allowed, and many other things. When you're testing blackbox, figuring out what you have and the limitations is super important to do. To start, they realized they could read cookies and redirect the page to extract those.

Overall, an interesting XSS article. I wish that the explanation of why they tried specific things was more clear but I enjoyed the vulnerability.