Unicode Normalization and Cookie Path Precedence - Solution to February (Valentines) '24 Challenge

Опубликовано: 23 Февраль 2024
на канале: Intigriti

1,368

🏆 The official writeup for the February '24 Challenge, which involves unicode normalisation (DOMPurify bypass), XSS and cookie manipulation (path precedence). We received 32 valid submissions (and 7 awesome writeups), many of which exploited an unintended race condition 👀 In this video, we'll breakdown the solution 🧠

Full blog/writeup: https://bugology.intigriti.io/intigri...
Follow ‪@GoatSniff‬ : / goatsniff
Solve the challenge: https://challenge-0224.intigriti.io

🧑💻 Sign up and start hacking right now - https://go.intigriti.com/register

🐱💻 Can't get enough of these challenges? - https://blog.intigriti.com/hackademy/...

👾 Join our Discord - https://go.intigriti.com/discord

🎙️ This show is hosted by / _cryptocat ( ‪@_CryptoCat‬ ) & / intigriti

👕 Do you want some Intigriti Swag? Check out https://swag.intigriti.com

00:00 Intro
00:45 Explore site functionality
04:24 Source code review
09:45 Attack plan
11:22 XSS via DOMPurify bypass (unicode normalisation bug)
15:32 Cookie manipulation (path precedence)
18:36 Bonus: unintended solution (race condition)
20:22 Summary
20:51 Conclusion