I didn’t check all the challenges this time because when I joined the competition, most of the challenges already solved by my teammates lol

I love JavaScript(yep, including those weird features) and XS-leak, so this writeup will talk about only two challenges:

  1. web/Sustenance
  2. misc/CaaSio PSE

Read More

Among the many web vulnerabilities, my favorite is prototype pollution. It can be powerful sometimes when you find a script gadget.

So, I decided to make an XSS challenge about prototype pollution.

In April, the challenge I made was released on Intigriti, if you haven’t checked that one, here is the link: https://challenge-0422.intigriti.io/

Making a good challenge is hard.

I made a few mistakes. With the bugs I made, the challenge became much easier. To make up for it, I decided to make another one, called “The Revenge of Intigriti 0422 Challenge”.

Below is the intended solution to the revenge challenge.

Challenge URL: https://aszx87410.github.io/xss-challenge/revenge-of-intigriti-0422

Read More

ERPNext is a very popular open-source ERP(Enterprise Resource Planning) software built on Frappe Framework.

Last December, we found two vulnerabilities in the latest version of ERPNext: SSRF(Server-Side Request Forgery) and account takeover via XSS. Both vulnerabilities require a low-privileged authenticated user to perform the attack.

By exploiting SSRF, a malicious actor could steal the credentials from cloud metadata and may lead to RCE. For XSS, it’s possible to take over others’ accounts.

We reported both vulnerabilities on November 25th, 2021. At the time of writing, there is still no fix for those two issues, so we decided to publish the details to inform the public about the risk.

Read More

Amelia is a WordPress plugin for booking systems developed by TNS. With 40,000+ active installations, it has been used for the clinic, hair salon, tutor, and so on.

In March, we studied the source code of Amelia and found three vulnerabilities in the end:

  • CVE-2022-0720 Amelia < 1.0.47 - Customer+ Arbitrary Appointments Update and Sensitive Data Disclosure (CVSS 6.3)
  • CVE-2022-0825 Amelia < 1.0.49 - Customer+ Arbitrary Appointments Status Update (CVSS 6.3)
  • CVE-2022-0837 Amelia < 1.0.48 - Customer+ SMS Service Abuse and Sensitive Data Disclosure (CVSS 5.4)

By exploiting these vulnerabilities, a malicious actor could get all the customer’s data, including name, phone, and booking details.

In this article, I will talk about the code structure of Amelia and the details of three vulnerabilities.

Read More

In May 2021, I solved my first Intigriti XSS challenge. Since then, I play every XSS challenge afterward, and solved most of them. Sometimes it’s painful when you try everything you know but still can’t solve it, however, the moment you made it, the pain is gone, replaced with joy and happiness.

As a player, I want to be on the other end(as a challenge maker) at least once, if I have an idea of an interesting XSS challenge.

I talked to @PinkDraconian in Jan 2021 and share an XSS challenge I created, after a few discussions, it gets accepted. This write-up is about the story behind the challenge.

Read More

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×