alert(23) to win - eval(location.pathname)

while surfing the internet for some sec news, a xss challenge came across. challenge address https://renwax23.github.io/X/chal/oct22/

It’s on github. So there is no backend, all the codes are in the front. Let’s see it.

if(/\/chal\/oct22\//.test(location.pathname.substr(0,15))){

eval(location.pathname)

}

The logic is simple. After checking the location.pathname, pathname will be evaled. So this is the sink.

round one

https://renwax23.github.io/X/chal/oct22/ Check the console. We see a syntax error. ` Uncaught SyntaxError: Invalid regular expression flags at (index):23 ` So i think that the key is regex. After reading some docs about regex, I couldn’t get an answer.

I tried some random stuff.- & ? \ , and get 404.

round one failed.

round two

So I need to get code 200 and insert some code in the url. But how? Some are urlencoded. Some will return code 404. I fuzzed the url to see what I can insert while it still returns 200. No luck. https://renwax23.github.io/X/chal/oct22// I add a / in the url. And it returned 200. So I can insert / as I need. https://renwax23.github.io//X/chal/oct22/ I add a / in the front. Checking the console, there’s no syntax error. I thought that it’s the right way. So I need to get some line break. Because // comment the code. Trying ‘%0d%0a’ and \u2028 (from prompt(1) to win), they are urlencoded.

I also tried a/../. But chrome will short it. Trying some urlencode. And https://renwax23.github.io//X/chal/oct22/a/..%2f returns code 200. Eureka! Now I can inject code into pathname and I still get code 200.

round three

But there’s still no alert. https://renwax23.github.io/X//chal/oct22/a/..%2f So I moved /. New error.

Uncaught SyntaxError: Unexpected token '.'

Not regex syntax error.

So now I need to get the syntax right. After some trying, I get a new error message. https://renwax23.github.io/X//chal/oct22/a;//..%2f

Uncaught ReferenceError: chal is not defined

So we need to need to define chal. And in javascript, you can use before define. So we can use var to define. I tried var chal. Space will be %20. Syntax error. We can use comment /**/ to seperate.

In the end, we get the alert. poc: https://renwax23.github.io/X//chal/oct22/-alert(23);var//..%2f/..%2f//chal=1;var//..%2f/..%2f/..%2f//oct22=2//..%2f/..%2f

Sereval hours later. I tried again. And get a less one. https://renwax23.github.io/X//chal/oct22/alert(23);var//..%2f..//chal,oct22//..%2f..

Really interesting challenge. Thanks to the author.