CORS Crossfire: An iCSI CTF

VM Download with Walkthrough Directions Below

Summary:

This activity is designed to test and enhance participant understanding of Cross-Origin Resource Sharing (CORS).

Participants first set up 2 virtual sites using Apache2 within a controlled environment.Participants develop JavaScript code that utilizes AJAX (Asynchronous JavaScript and XML) to retrieve data from the secondary virtual site through their primary virtual site using JavaScript XMLHTTPRequests.Participants learn about the difference between requests made directly in the browser and those made via XMLHttpRequest within JavaScript. (Specifically, how CORS headers affect responses to such requests.)Once this initial tutorial is complete, participants move on to exploiting the target VM.

Objective:

The challenge involves a virtual machine (VM) simulated as a banking website. Each participant begins with a balance of $100.An invisible ‘admin’ user exists on the system, possessing a significant amount of funds, who regularly checks the website’s messaging system.The task is to execute a blind Cross-Site Scripting (XSS) assault on this admin through the site’s messaging feature.Using a malicious Python3 web server set up on Kali Linux and knowledge about the necessity of Cross-Origin Resource Sharing (CORS) headers for the attack’s success, participants coerce the admin into transferring $10,000 to their account.The challenge is completed and the flag is obtained once the participant’s bank account exceeds $10,000.

The VM with download instructions can be found here.