DOJO CHALLENGE #3 Winners!

Categories
Talent Development YesWeRHackers

The third DOJO CHALLENGE was about finding a valid XSS payload. The first five challenge solves and the five best write-up reports were rewarded with a nifty goodies pack. We had a great variety of working payloads, demonstrating the vibrant creativity of our community. Thank you all for playing with us!

What is DOJO?

The YesWeHack DOJO is a visual exploitation environment and training platform geared towards learning bug exploitation the fun and visual way.


Introducing the YesWeHack DOJO

The DOJO is three things in one: a learning tool, training platform and a playground.


The DOJO is the arena where the third challenge took place (see the announcement here).

WINNERS!

We are glad to announce the #3 DOJO Challenge winners list. Everyone will receive a goodies pack.

5 FIRST SOLVES

Marcosen
Smithdthjohn886
Pinta
ctfpoulpe
WhiteWine

5 BEST WRITE-UP REPORTS

Sapic
Serizao
Smithdthjohn886
Pinky
Ivarsvids

Other contestants will be able to re-enter the race on the next challenge! Subscribe to our Twitter or Linkedin feeds for the forthcoming challenge announcements.

Read on to find the best write-up as well as the challenge author’s recommendations.

The challenge

You had to successfully trigger an XSS by exploiting two heavily filtered parameters. The execution context was also inside a conditional block that had to be bypassed somehow.

We also asked you to produce a qualified write-up report explaining the logic allowing such exploitation. This write-up serves two purposes:

  • Ensure no copy-paste would occur.
  • Determine the contestant ability to properly describe a vulnerability and its vectors inside a professionally redacted report. This capacity gives us invaluable hints on your own, unique, talent as a bug hunter.

Best write-up report

@maxenceschmitt

We publish here the best write-up report for this session with the permission of its author, @maxenceschmitt AKA SAPIC on YesWeHack.

The used vector also was not the simplest, but nonetheless unique across all the reports.

Thank you!

/—– SENSEI SAPIC’s REPORT ———————————————————–/

Description

Cross-site scripting (XSS) is a vulnerability that allows an attacker to run javascript in a victim browser context. The attacker can thus leverage it to take action on behalf of the victim. Most of the time, an XSS allows to steal a session and to take over an account.

As per the description of the challenge, the goal is to trigger an XSS in the DOJO Playground using two parameters: $age and $name.

Exploitation

Here is the source code of the challenge:

<script>
const age = $age
const name = "$name"
if (age > 18 && name.length ){
  document.write(`Welcome to my adult website ${name} 8=D`)
} else {
  document.write(`Go away`)
}
</script>

Let’s have a look at the code… We have two inputs with the following constraints:

  • $age with max length is 2
  • $name with the following blacklist: <,>,,',"

The code also has other interesting elements:

  • $age and $name are defined as a constant
  • $age value is not between " or '

Thus, we will not be able to escape the code logic from the $name variable.

So we will focus on the $age value and try to find an XSS with template literals:

We can see that a single backtick in $age is working and make the rest of the code interpreted as template literals.

Sadly, $age is limited to 2 charaters. But we can freely use the $name input for our payload.

We will use the template literals placeholder to trigger our XSS. As per the documentation:

Template literals can contain placeholders. These are indicated by the dollar sign and curly braces (${expression}). The expressions in the placeholders and the text between the backticks (` `) get passed to a function.

So, let’s put:

${alert(window.name)}`//

inside $name, where:

  • ${} : is the placeholder to be interpreted as javascript
  • alert(window.name) : is the requested payload to validate the challenge
  • ` : to closed the template string
  • // : to comment the ” coming present in the code

Let’s push Enter to try it out:

Youhou it’s working!!!!

PoC

$age=`
$name=${alert(window.name)}`//

Conclusion

Thanks for the challenge!! It’s the first challenge I am doing with YesWeHack and it’s a good experience. The DOJO Playground interface makes it fun to play with and it is very good for learning. Thanks, @Bitk_ for this.

/—– END of SAPIC’s REPORT ———————————————————–/

BitK’s Editor note

BitK

BitK is the Technical Ambassador at Yes We Hack. He also created the DOJO and this challenge.

Using backticks was not the only possible solution. You could use comments as well with $age = /* and $name starting with */.

Another solution would be to make $age = ", as this would escape the endline character and make a multiline string ending just where our $name start.