Challenge Link: https://challenge-0223.intigriti.io/
Challenge By: https://twitter.com/x64pr0fessor
Goal: Now we understand that we need to find a method to display an alert box in order to confirm that this is indeed an instance of XSS.
We were given an application that allows us to create “Leek NFT” by uploading your own picture as background. After uploading the image you have to submit. You’ll see a message “file uploaded successfully to 355fed1f-a3ed-44cd-b708–93e1c6f2559a”. Where “355fed1f-a3ed-44cd-b708–93e1c6f2559a” is some kind of UUID or other identifier of session and uploaded file.
Now click on save. You’ll be redirected to the main NFT page
The retrieved information is added to the JSON string.
The application concatenates strings without performing any sanitization, providing attackers with a potential entry point to inject any form of data into the “imjobj” variable.
The imgName variable in the code cannot be modified because it is hardcoded, intentionally.
With the help of the potential entry point in “imgobj” we could add another key named “imgName” at the end of the JSON String.
Consider the below case:
The final value of key1 would be Gojo. Because, as mentioned above JSON.parse() would always take the value of the last key for multiple keys with the same name.
With the above information we could craft a payload in the imjobj JSON string
"imgName":"<img src=x onerror=alert(document.domain)>"
In order to achieve the above format inject the payload in the imgComment field using exiftool:
exiftool -UserComment='pr0shx", "imgName": "<img src=x onerror=alert(document.domain)>' image.png
So, now upload the image.png to https://challenge-0223.intigriti.io/create and submit it. Click on save, you can see an alert box is popped in the challenge domain as shown below.
Prepared by Prashanth in collaboration with Pawel.
Connect with us at -