As usual, there is a Intigriti challenge in January, but this time it’s not an XSS challenge. It’s about “second order injection” which is relatively uncommon, so I decided to write a blog post.
SekaiCTF 2022 - safelist writeup
I got first blood for a challenge called “safelist” in SekaiCTF 2022, it’s a challenge about xsleaks and request timing in particular, here is my writeup.
Challenge description:
Safelist™ is a completely safe list site to hold all your important notes! I mean, look at all the security features we have, we must be safe!
Who pollutes your prototype? Find the libs on cdnjs in an automated way
When it comes to CSP bypass, a kind of technique using AngularJS is well-known. One of it’s variant requires another library called Prototype.js to make it works.
After understanding how it works, I began to wonder if there are other libraries on cdnjs that can do similar things, so I started researching.
This article will start with the CSP bypass of cdnjs, talk about why prototype.js is needed, and then mention how I found its replacement on cdnjs.
Intigriti 0822 XSS Challenge Author Writeup
In Auguest, I and bruno made a XSS challenge on Intigriti. When we decided to make it, we hope it’s a difficult and fun challenge, and the players can also learn a lot from it.
Here is the writeup for this challenge.
corCTF 2022 writeup - modernblog
At first, I had no intention of writing a post about this challenge because the author already had a greate one: corCTF 2022 Challenge Writeups. But, it’s my first time being the only solver for a challenge, it’s still worth writing one.
In this post, I will talk about how I tackled the challenge in the first place and how I solved it in the end.
Insecure Deserialization in JavaScript: GoogleCTF 2022 Web/HORKOS Writeup
We all heard about insecure deserialization vulnerability and saw many real-world cases in Java, PHP, and other languages.
But, we rarely hear about this vulnerability in JavaScript. I think it’s because the built-in serialization/deserialization function JSON.parse and JSON.stringify are only for basic data structures like string, number, array and object.
Class and function are not supported, so there is no way to run malicious code during deserialization.
What if we implement our deserialization logic and support class and function? What could possibly go wrong?
GoogleCTF 2022 has a web challenge called “HORKOS,” which shows us the way.
justCTF 2022 - Baby XSLeak Write-up
Last weekend, I played justCTF 2022 with my team Water Paddler, and we got 7th place!
It’s the write-up about one of the XSleak challenges, an easier one. If you want to see the hard one, you can refer to this awesome writeup: New technique of stealing data using CSS and Scroll-to-text Fragment feature.
ångstromCTF 2022 Writeup
I didn’t check all the challenges this time because when I joined the competition, most of the challenges already solved by my teammates lol
I love JavaScript(yep, including those weird features) and XS-leak, so this writeup will talk about only two challenges:
- web/Sustenance
- misc/CaaSio PSE
Revenge of Intigriti 0422 Challenge Author Writeup
Among the many web vulnerabilities, my favorite is prototype pollution. It can be powerful sometimes when you find a script gadget.
So, I decided to make an XSS challenge about prototype pollution.
In April, the challenge I made was released on Intigriti, if you haven’t checked that one, here is the link: https://challenge-0422.intigriti.io/
Making a good challenge is hard.
I made a few mistakes. With the bugs I made, the challenge became much easier. To make up for it, I decided to make another one, called “The Revenge of Intigriti 0422 Challenge”.
Below is the intended solution to the revenge challenge.
Challenge URL: https://aszx87410.github.io/xss-challenge/revenge-of-intigriti-0422
Intigriti 0422 XSS Challenge Author Writeup
Challenge URL: https://challenge-0422.intigriti.io/