array(1) { [0]=> object(WP_Post)#2051 (24) { ["ID"]=> int(11100) ["post_author"]=> string(1) "1" ["post_date"]=> string(19) "2021-10-25 09:38:29" ["post_date_gmt"]=> string(19) "2021-10-25 09:38:29" ["post_content"]=> string(12871) "

The #14th DOJO CHALLENGE consisted of understanding the principle of JS hoisting mechanism and bypassing the security to execute a function in order to recover the flag. This DOJO was created by one of our community members. Thanks to him for this great challenge!

💡 You want to create your own DOJO and publish it? Send us a message on Twitter!

WINNERS!

We are glad to announce the #14 DOJO Challenge winners list.

3 BEST WRITE-UP REPORTS

  • The best writeups reports were submitted by: Dtql, Brumens and s3asarv3sh

Subscribe to our Twitter or Linkedin feeds to be notified of the upcoming challenges.

Read on to find the best write-up as well as the challenge author's recommendations.

The challenge

We all know how prototype works, but, is this really a proto here?

We asked you to produce a qualified write-up report explaining the logic allowing such exploitation. This write-up serves two purposes:

  • Ensure no copy-paste would occur.
  • Determine the contestant ability to properly describe a vulnerability and its vectors inside a professionally redacted report. This capacity gives us invaluable hints on your own, unique, talent as a bug hunter.

BEST WRITE-UP REPORT

Brumens's report was well detailed and really useful to understand the logic of this challenge. All the steps are clearly explained and it's very useful for everyone to understand how he went about solving this DOJO.

The others reports, notably Dtql's and s3asarv3sh's were also very nice, we're sorry can't publish them all because that's where you clearly witness the outstanding creativity of our community.

Thank you all for playing with us!

Brumens's Write-Up


-------------- START OF Brumens REPORT ------------------

Description

An Cross site scripting (XSS) [1] was located inside https://dojo-yeswehack.com/Playground#{token}. The Javascript [2] that was running on the page generated a flag that was hidden.

Inside the Javascript code there was an IF statment [3] with the task of printing out the flag to the page.
The IF statment will only run if the variable [4] "showFlag" had been defined [4]. The Javascript code had not defined the variable "showFlag" before running the IF statment because it didn't define the variable the IF statment wasen't executed. This method keeped the flag hidden.

The user has the ability to input a value into the "showFlag" variable by using the parameter "config". The user can also execute Javascript by inserting a semicolon (;) that ends the value of "config" and gives the advantage to craft custom Javascript code to gather the hidden flag. However the variable "showFlag" was declared by the original Javascript code before the IF statment and user input was executed.

The problem is that Javascript has a process that allocates memory for variable and function declarations prior to execution of the code. This means that Javascript has the "showFlag" variable in it's memory by it's default value ("undefined"). This refers to Hoisting [5] which creates a vulnerability inside the Javascript code. This is because the user is able to define the variable "showFlag" into a function that will set "showFlag" to the default value of a function. When Javascript makes it's Hoisting process the IF statment will execute and expose the hidden flag to the user.

Exploitation

The vulnerability is possible because Javascript's Hoisting prior to execution of the code.

//var showFlag = true;
var flag = `FLAG{${Math.random().toString(13.37).slice(2)}}`;

if (showFlag){
  document.write(flag);
} else {
  document.write(`Flag display not enabled!`);
}
flag = null;

var showFlag = $config;

When the attacker change the value of "$config" and break out with the semicolon to execute custom Javascript in the code. The following payload 1337;function/**/showFlag(){} will set the "Showflag" into the value of a function.

When the Javascript code has done it's Hoisting process it's then executing the code. Since the variable "showFlag" now has the value of a function the IF statment will run sucessfully and expose the hidden flag.

Proof Of Concept

The image below shows the process, exploitation and the exposed flag.

Impact of the vulnerability

The impact of this vulnerability is that an attacker is able to break out from the user input and execute custom crafted Javascript which leads to an XSS. By using this ability the attacker is able to exploit the Hoisting process that Javascript do before the code is executed.
This leads to the flag being exposed to the attacker.

Supported links

[1] https://portswigger.net/web-security/cross-site-scripting - Portswigger, "Cross-site scripting"

[2] https://developer.mozilla.org/en-US/docs/Learn/JavaScript/First_steps/What_is_JavaScript - Mozilla, "What is Javascript"

[3] https://www.w3schools.com/js/js_if_else.asp - *W3 Schools, "JavaScript if else and else if"

[4] https://www.w3schools.com/js/js_variables.asp - W3 Schools, "JavaScript Variables"

[5] https://developer.mozilla.org/en-US/docs/Glossary/Hoisting - Mozilla, "Hoisting"


-------------- END OF Brumens REPORT ------------------


Read More on YesWeHack DOJO

Introducing the YesWeHack DOJO

The DOJO is three things in one: a learning tool, training platform and a playground.


" ["post_title"]=> string(27) "DOJO CHALLENGE #14 Winners!" ["post_excerpt"]=> string(169) "The #14th DOJO CHALLENGE consisted of understanding the principle of JS hoisting mechanism and bypassing the security to execute a function in order to recover the flag." ["post_status"]=> string(7) "publish" ["comment_status"]=> string(6) "closed" ["ping_status"]=> string(6) "closed" ["post_password"]=> string(0) "" ["post_name"]=> string(25) "dojo-challenge-14-winners" ["to_ping"]=> string(0) "" ["pinged"]=> string(0) "" ["post_modified"]=> string(19) "2021-10-25 09:38:30" ["post_modified_gmt"]=> string(19) "2021-10-25 09:38:30" ["post_content_filtered"]=> string(0) "" ["post_parent"]=> int(0) ["guid"]=> string(34) "https://blog.yeswehack.com/?p=11100" ["menu_order"]=> int(0) ["post_type"]=> string(4) "post" ["post_mime_type"]=> string(0) "" ["comment_count"]=> string(1) "0" ["filter"]=> string(3) "raw" } }