Prototype Pollution, reCAPTCHA and XSS - Solution to June '23 Challenge
🏆 The official writeup for the June '23 Challenge. There's at least 3 possible solutions, all featuring prototype pollution (jquery 2.2.4 - deparam) and XSS 😎
The differences will be outlined in the video, but a quick summary:
1) Intended: Pollute Sanitizer() config to allow unknown markup and the Google reCAPTCHA related attributes.
2) Unintended #1: Use reCAPTCHA (srcdoc, like intended) as a gadget without changing Sanitizer config (pollute sitekey).
3) Unintended #2: Use jquery script gadgets ($(x).off - delegateTarget), bypassing reCAPTCHA and the domain check.
Follow Godson: / 0xgodson_
Solve the challenge: https://challenge-0623.intigriti.io
🧑💻 Sign up and start hacking right now - https://go.intigriti.com/register
🐱💻 Can't get enough of these challenges? - https://blog.intigriti.com/hackademy/...
👾 Join our Discord - https://go.intigriti.com/discord
🎙️ This show is hosted by / _cryptocat ( @_CryptoCat ) & / intigriti
👕 Do you want some Intigriti Swag? Check out https://swag.intigriti.com
00:00 Intro
01:55 Enable Sanitizer API in Firefox
02:41 Explore site functionality
03:38 Source code review
08:32 Setup challenge (local environment)
10:06 jquery 2.2.4 deparam prototype pollution
12:45 reCAPTCHA as a gadget
15:01 Pollute Sanitizer() config
18:37 Bypassing the domain check (remote)
20:51 Summary of intended solution
22:04 Bonus: Unintended #1 - reCAPTCHA sitekey pollution
23:17 Bonus: Unintended #2 - jquery script gadgets
25:02 Recap
26:24 Conclusion
![Decoding Spotify Barcodes - Defcon 32 Coin Challenge Solution [2024]](https://images.mixrolikus.cc/video/RpXbtmUGyXs)
