Feb 20, 2021
WRITEUP | Intigriti Challenge-0221
Challenge by @holme_sec
First Look
The site is simple, It is an application form for the Unicodeversity WACK system.
“Welcome to the Unicodeversity’s Well-trusted Assignment Computer Knowledge system, where we primarily focus on your ability to use cool Unicode and not so much on the content of your submissions.”
Playing with the page
After submiting some random values and clicking Submit we’re addressed with a shareable link for our submission:
The link leading to:
https://challenge-0221.intigriti.io/?assignmentTitle=AAAA&assignmentText=AAAA
Injection (Or at least trying)
In the source code we can see our query parameters reflected here:
Both do basic sanitization with html entities:
How can we break html entities? isn’t it bullet proof? not so fast. Notice the X-Powered-By header:
This is PHP. yeah. it’s must be broken somehow. Now at this point I was kinda confused on what to do and then I took another glance at the site. It’s filled with the word “Unicode”. . . alright!
Unicode?
The first thing I tried was ❤ (also note I will focus only on one of the parameters because they function the same)
WTF? ‘ 64 that’s… unexpected. What is ❤ anyway? The symbol code for it is U+2764. 64? ammmm and 27 is the hex ASCII value for ‘ . I kinda get it now?
In that case let’s say I want to get <
Inserting %E3%B0%80 as assignmentTitle in our url will lead to
YES! We’ve bypassed html entities encoding through some weird unicode encoding trick! but notice the following chars (00) we might be able to insert whatever byte we want but following it will be an hex encoded byte.
Now What?
At this point it’s fair to look back and figure out. Okay how do we get an XSS.
Strict Content-Security-Policy:
Eval in source code:
Because of the strict content security policy we can’t just add an onclick attribute and call it quits we need to control “result.questionAnswer.value”.
Try to find the vulnerable part in the following function:
This function gets called when we give the site the “autosubmit” query param:
The vulnerability is here:
If we can control window.result it won’t be destroyed by this function.
So how can we control window.result?
Dom Clobbering
Go read https://portswigger.net/research/dom-clobbering-strikes-back it’s basically more than I can ever explain dom clobbering. @garethheyes is an incredible Security Researcher and I will be using his code (given in the link before) momenterally.
To clobber result.questionAnswer.value as seen in gareth’s post:
<form id=result><output id=questionAnswer>INJECTION</output>
But remember our problem? We can’t use the < character without it being followed by two hex characters.
All html tags that start with [a-f][a-f] are:
[“abbr”, “acronym”, “address”, “base”, “basefont”, “bdi”, “bdo”, “canvas”, “caption”, “center”, “data”, “datalist”, “dd”, “del”, “details”, “dfn”]
We can use the snippet from gareth’s (modified slightly) to find all the injectable attributes from this elements, remember we are looking for the “value” attribute:
<data value=”hey” /> is our valid substitution for <output>! And we can use the HTMLCollection trick, so instead of form so by creating two tags with the same id and one with name it will be DomCollection.name
Now we can make our payload:
<bb id=result /> <data id=result name=questionAnswer value=-alert(document.domain) />
Let’s unicodify it!
Final Payload: Execution
We will use our trick to generate <bb and <da . 㳝 and 㳚 respectivily.
Also “00 with ∀ and viola!
or
?autosubmit=true&assignmentTitle=∀/㸀㳝%20id=result%20㸀㳚ta%20id=result%20name=questionAnswer%20value=∀%20-alert(document.domain)∀%20㸀
Fin
Thanks for reading, I hope you are safe and wearing a mask in these times and that you’ve learnt from this writeup.
Thanks to intigriti for delivering awesome challenges very month!
