xss-stored-html in pwnshop

web-security/pwnshop.yml

@@ -26,3 +26,5 @@ challenges:
   challenge: SQLInjectionSchema
 - id: sqli-blind
   challenge: SQLInjectionBlind
+- id: xss-stored-html
+  challenge: XSSStoredHTML

web-security/xss-stored-html/server

@@ -1,12 +1,15 @@
 #!/opt/pwn.college/python
 
-import tempfile
-import sqlite3
 import flask
 import os
 
 app = flask.Flask(__name__)
 
+
+import sqlite3
+import tempfile
+
+
 class TemporaryDB:
     def __init__(self):
         self.db_file = tempfile.NamedTemporaryFile("x", suffix=".db")
@@ -19,16 +22,20 @@ class TemporaryDB:
         connection.commit()
         return result
 
+
 db = TemporaryDB()
+
 # https://www.sqlite.org/lang_createtable.html
 db.execute("""CREATE TABLE posts AS SELECT "First Post!" AS content""")
 
+
 @app.route("/", methods=["POST"])
 def challenge_post():
     content = flask.request.form.get("content", "")
     db.execute("INSERT INTO posts VALUES (?)", [content])
     return flask.redirect(flask.request.path)
 
+
 @app.route("/", methods=["GET"])
 def challenge_get():
     page = "<html><body>\nWelcome to pwnpost, the anonymous posting service. Post away!\n"
@@ -39,6 +46,7 @@ def challenge_get():
 
     return page + "</body></html>"
 
+
 app.secret_key = os.urandom(8)
-app.config['SERVER_NAME'] = f"challenge.localhost:80"
+app.config["SERVER_NAME"] = f"challenge.localhost:80"
 app.run("challenge.localhost", 80)

web-security/xss-stored-html/victim

@@ -5,7 +5,7 @@ import psutil
 import sys
 import re
 
-open_ports = { s.laddr.port for s in psutil.net_connections(kind="inet") if s.status == 'LISTEN' }
+open_ports = {s.laddr.port for s in psutil.net_connections(kind="inet") if s.status == "LISTEN"}
 if 80 not in open_ports:
     print("Service doesn't seem to be running?")
     sys.exit(1)