Prototype Pollution, reCAPTCHA and XSS - Solution to June '23 Challenge

Опубликовано: 27 Июнь 2023
на канале: Intigriti

3,719

139

🏆 The official writeup for the June '23 Challenge. There's at least 3 possible solutions, all featuring prototype pollution (jquery 2.2.4 - deparam) and XSS 😎

The differences will be outlined in the video, but a quick summary:
1) Intended: Pollute Sanitizer() config to allow unknown markup and the Google reCAPTCHA related attributes.
2) Unintended #1: Use reCAPTCHA (srcdoc, like intended) as a gadget without changing Sanitizer config (pollute sitekey).
3) Unintended #2: Use jquery script gadgets ($(x).off - delegateTarget), bypassing reCAPTCHA and the domain check.

Follow Godson: / 0xgodson_
Solve the challenge: https://challenge-0623.intigriti.io

🧑💻 Sign up and start hacking right now - https://go.intigriti.com/register

🐱💻 Can't get enough of these challenges? - https://blog.intigriti.com/hackademy/...

👾 Join our Discord - https://go.intigriti.com/discord

🎙️ This show is hosted by / _cryptocat ( ‪@_CryptoCat‬ ) & / intigriti

👕 Do you want some Intigriti Swag? Check out https://swag.intigriti.com

00:00 Intro
01:55 Enable Sanitizer API in Firefox
02:41 Explore site functionality
03:38 Source code review
08:32 Setup challenge (local environment)
10:06 jquery 2.2.4 deparam prototype pollution
12:45 reCAPTCHA as a gadget
15:01 Pollute Sanitizer() config
18:37 Bypassing the domain check (remote)
20:51 Summary of intended solution
22:04 Bonus: Unintended #1 - reCAPTCHA sitekey pollution
23:17 Bonus: Unintended #2 - jquery script gadgets
25:02 Recap
26:24 Conclusion