The #10th DOJO CHALLENGE was to build a JavaScript payload in palindrome. We received many unexpected solutions on this DOJO with a workaround in just a few characters!
WINNERS!
We are glad to announce the #10 DOJO Challenge winners list.
The FIRST and 4 best quality write-up reports:
- The fastest hunter : Ivarsvids
- The 4 most beautiful reports: Ctfpoulpe, Pbeaune, Blaklis, Rekter0
Subscribe to our Twitter or Linkedin feeds to be notified of the upcoming challenges.
Read on to find the best write-up as well as the challenge author’s recommendations.
The challenge
A palindrome is a word, number, phrase, or other sequence of characters which reads the same backward as forward, such as madam or racecar. There are also numeric palindromes, including date/time stamps using short digits 11/11/11 11:11 and long digits 02/02/2020. Sentence-length palindromes ignore capitalization, punctuation, and word boundaries.
We asked you to produce a qualified write-up report explaining the logic allowing such exploitation. This write-up serves two purposes:
- Ensure no copy-paste would occur.
- Determine the contestant ability to properly describe a vulnerability and its vectors inside a professionally redacted report. This capacity gives us invaluable hints on your own, unique, talent as a bug hunter.
BEST WRITE-UP REPORT
Pbeaune’s report was detailed, informative, and good at explaining the logic to construct the magic payload to obtain the flag.
The others reports, notably Ctfpoulpe’s, Blaklis’s and Rekter0’s were also very nice, we’re sorry can’t publish them all because that’s where you clearly witness the outstanding creativity of our community.
Thank you all for playing with us!
Pbeaune’s Write-Up
————– START OF Pbeaune REPORT ——————
Description
The goal is to find the flag in the DOJO Playground with abusing input and control validation using $payload parameter:
Exploitation
Here is the source code of the challenge :