YesWeHack & Alibaba Security Meetup challenge solution

The goal of the challenge was to find an XSS vulnerability on a minimalist website.

It was composed of 3 steps of increasing difficulty in the form of extra security layer. All the payload are tested with Chrome 75.

difficulty Escape GET value X-XSS-Protection CSP
easy NO 0 NO
medium YES 1 NO
hard YES 1 YES

+ Read More

Catch the flag, catch the (real!) gold

Did you ever have the chance to win a pure gold medal ?
THIS IS HAPPENING : Join us next week, on the 18th of June, at the Alibaba Security Meetup-hacker Community Event organized by Alibaba Security and Lazada in partnership with YesWeHack

Highlights of the evening

Hacking game

  • 1h to solve
  • 3 levels
  • All of them are real vulnerability from bug bounty
    🏅 Pure gold medal for Top 1 🏅
  • @BitK_ will gives the solution and shares tips and tricks about how to find a vulnerability.

Pick a lock game

  • Nine different locks and tools
  • Learn about the vulnerabilities of lock and locking devices
  • Try to pick a lock by yourself.

New bug bounty

  • ASRC private bug bounty program
  • ASRC Vulnerability Rewards Program

Other

  • Dinner & Beer
  • Break ice and Gather stamps Game

Agenda

17:30-18:00 Sign in
18:00-18:30 Ice breaking game & Dinner& networking
18:30-19:40 Hacking game & Pick a lock game
19:40-19:50 Bug Bounty Announce
19:50-20:00 Award ceremony for hacking game
20:00-20:30 One session
20:30-21:00 Gives the solution to the hacking game and shares tips and tricks about how to find a vulnerability.

Hacking game

Description

Do you think XSS is “low hanging fruit” ?
So just exploit it on the website provided during the event and call alert(document.domain).

There are 3 levels of increasing difficulty each one is worth 100pts, and they are real XSS discovered on bug bounty…
For each step submit your payload to @yeswehack

All your payloads will be tested on a default installation of Chrome 75
At the end of the timer, the one with the most points will be declared the winner.

If two players have the same score, the first one to reach the score will be declared the winner.

Rules

This is an XSS challenge, no need to brute force or automated tools.
This is NOT a cryptography challenge.
Your solution for each step will be a single link.
Just bring your laptop and chrome75 installed

About the event

Alibaba Security Meetup is a security event hosted by Lazada and ASRC. 
The goal of these meet-ups is to build a strong “security community” within the South East Asia. 
By becoming a member of such a community, you will get to:

  1. Learn about the new trends within the Information Security domain.
  2. Participate in the CTF and win prizes.
  3. Learn more about the ASRC bug bounty platform.
  4. Collect swags and relish food and drinks while networking with your peers in the domain of information security.
    The goal of these meet-ups is to build a strong “security community” within the South East Asia. By becoming a member of such a community, you will get to

For more details about ASRC Vulnerability Rewards Program, please visit:
https://security.alibaba.com/online

See you next week Singapore

Let’s break stuff together Singapore : YesWeHack is coming up with a brand new CTF at Infosec in the City !

 

Infosec in the City Singapore is a premier techno-centric cybersecurity event, bringing together top cybersecurity leaders from both the East and the West to share deep-technical insights, and build the next-generation cybersecurity capabilities around the globe.

Visit YesWeHack at booth 5N7-01 to learn how you can make cybersecurity an accelerator of your digital transformation with Bug Bounty!

Get a product demo, meet our team, grab your loot and break the codes 

You want to challenge your skills and get reward?

CTF in THE CITY by YesWeHack

The CTF competition is open to all conference ticket holders and visitors to play, enjoy and compete. Participants simply have to come at the YesWeHack booth, in front of the CTF area, 5N7-01, or directly to the CTF Area.

Ready to hack ?

The CTF will have multiple categories of challenges and different levels from beginner to advanced… But only the best will get the prizes :

Centurion Information Security will give SGD 1000 in cash (1st $500, 2snd $300, 3rd $200)
HITB will give one ticket to attend HITB Singapore (27-31 August 19) – value of 1,199 USD

CTF sponsored and created by YesWeHack
Prizes by HITB and Centurion Information Security

Solution for “A Weird XSS Case”

This challenge was created for BSidesDublin 2019, the goal was to
trigger an alert using an XSS on the domain https://bsides2019dublin.h4cktheplanet.com/.

Nobody was able to solve it during the event so we decided to keep it online for an extra week to let you play with it.

3 persons managed to solve it during this extra time:

Here is the full solution

The website is a single HTML file asking for an username.

When you submit an username some checks are made and a message tells you if the submitted username is l33t or not.

Let’s take a look at the JavaScript code.

+ Read More