{% extends "base.html" %}
{% block title %}Lab Tasks - CVE-2026-5026 Lab{% endblock %}

{% block content %}
<div class="border-b border-gray-300 pb-3 mb-4">
  <h1 class="text-[#1a26c9] text-lg font-medium">Lab Tasks</h1>
  <p class="text-base mt-0.5">CVE-2026-5026 - Stored XSS via Malicious SVG Upload</p>
</div>
 
<!-- Progress -->
<div class="border border-gray-300 rounded-xl p-4 mb-4">
  <p class="text-sm uppercase tracking-widest mb-3">Progress</p>
 
  <div class="py-2.5 border-b border-gray-300">
    <p class="text-sm">Task 1 - Basic XSS Alert</p>
    <p class="text-xs mt-1">Upload an SVG that triggers alert("Task 1 complete with success!!") when rendered.</p>
  </div>
 
  <div class="py-2.5 border-b border-gray-300">
    <p class="text-sm">Task 2 - Cookie Exfiltration</p>
    <p class="text-xs mt-1">Send session cookie to attacker-controlled listener</p>
  </div>
 
  <div class="py-2.5">
    <p class="text-sm">Task 3 - Authenticated Action</p>
    <p class="text-xs mt-1">POST on behalf of victim, capture the flag</p>
  </div>
</div>
 
<!-- Vulnerability explanation -->
<div class="border border-gray-300 rounded-xl p-4 mb-4">
  <p class="text-sm uppercase tracking-widest mb-3">Why SVGs are dangerous</p>
  <p class="text-sm leading-relaxed mb-1">
    Unlike JPEG or PNG, SVG files are XML documents parsed and executed by the browser.
    Any <code class="bg-[#080810] px-1 rounded text-[#a0c4ff]">&lt;script&gt;</code> tag or event handler
    (e.g. <code class="bg-[#080810] px-1 rounded text-[#a0c4ff]">onload=</code>) inside an SVG runs
    in the context of the hosting page — with full access to <code class="bg-[#080810] px-1 rounded text-[#a0c4ff]">document.cookie</code>,
    the DOM, and the user's authenticated session.
  </p>
  <p class="text-sm leading-relaxed">
    When the server stores and serves these files inline without sanitization, any user who views
    the file executes the attacker's code — this is <span class="font-semibold">Stored XSS</span>.
  </p>
</div>
 
<!-- Mitigations -->
<div class="border border-gray-300 rounded-xl p-4">
  <p class="text-sm uppercase tracking-widest mb-3">Mitigations</p>
 
  <div class="flex flex-col gap-4">
 
    <div>
      <p class="text-sm mb-1">1. SVG Sanitization (DOMPurify)</p>
      <div class="bg-[#080810] rounded p-3 text-[#a0c4ff] text-sm font-mono">
        DOMPurify.sanitize(svgContent, {USE_PROFILES: {svg: true}})
      </div>
    </div>
 
    <div>
      <p class="text-lab-text text-sm mb-1">2. Content Security Policy</p>
      <div class="bg-[#080810] rounded p-3 text-[#a0c4ff] text-sm font-mono">
        Content-Security-Policy: default-src 'self'; script-src 'none'
      </div>
    </div>
 
    <div>
      <p class="text-lab-text text-sm mb-1">3. Serve SVGs as attachment (not inline)</p>
      <div class="bg-[#080810] rounded p-3 text-[#a0c4ff] text-sm font-mono leading-relaxed">
        Content-Disposition: attachment; filename="file.svg"<br>
        X-Content-Type-Options: nosniff
      </div>
    </div>
 
    <div>
      <p class="text-lab-text text-sm mb-1">4. Server-side MIME validation</p>
      <div class="bg-[#080810] rounded p-3 text-[#a0c4ff] text-sm font-mono">
        if file.content_type != 'image/svg+xml': reject()
      </div>
    </div>
 
    <div>
      <p class="text-lab-text text-sm mb-1">5. HttpOnly cookies + CSRF tokens</p>
      <div class="bg-[#080810] rounded p-3 text-[#a0c4ff] text-sm font-mono leading-relaxed">
        app.config['SESSION_COOKIE_HTTPONLY'] = True<br>
        # + flask-wtf for CSRF protection
      </div>
    </div>
 
  </div>
</div>
{% endblock %}
 
{% block scripts %}
{% endblock %}