[Challenge]: Link Shortening Website XSS @hack.me

Challenge:  Link Shortening Website XSS
Author: yoyosh
Website: hack.me
Link: https://hack.me/103185/link-shortening-website-xss.html
Description: This is a simple Link Shortening Website. (Like bit.ly)
(It’s not that short in the hack.me sandbox but you get the point :P).

Your mission is to find and exploit a XSS vulnerability in it!  X-XSS-Protection is 0  Good luck!

Solution:

The home page of this challenge presents a single entry point where I can insert the long link that I want shorten.

To test the application I insert a simple link https://www.google.it; after the submit it returns me the shorted link, in my case http://s67171-103185-qmw.croto.hack.me/?bs9kjd

The insert request is managed by a little function written in javascript that sends the long link as parameter to /ajax/shorten.php page:

function shortenLink (link) { 
    $.get("/ajax/shorten.php", { 
      "link": link
    }, null, "text")
      .done(handleResponse)
      .fail(error.bind(null, null));
  }

To retrieve all shorted links inserted by me, the home-page recalls, every reloading, the same page without link parameter; the response is a JSON string:

{"links":[{"id":1,"short_link":"http:\/\/s67171-103185-wdc.croto.hack.me\/?q8gzo0","long_link":"http:\/\/www.google.it"}]}

Nice, the application works; the only injection point is the long link.

The content page of shorted link contains the below HTML code:

<a href=”[INSERTED_LONG_LINK]” style=”display: none;” />
<script>
document.getElementsByTagName(“a”)[0].click();
</script></a></pre>

Now I have all information about the application. The shorten.php page validates the URL, probably, using a regex. To satisfy the filter, the long link URL string must contain a sequence of :// characters. Furthermore, every special character is HTML encoded.

After more attempts I find the payload that satisfies the filter:

javascript://alert(/XSS/.source)

But there is a problem, the double slash, that represents a single-line comment, comments my javascript payload.
To execute my payload, I must send it to newline[%A0 represents the new line feed character]:

javascript://%0Aalert(/XSS/.source)