The #14th DOJO CHALLENGE consisted of understanding the principle of JS hoisting mechanism and bypassing the security to execute a function in order to recover the flag. This DOJO was created by one of our community members. Thanks to him for this great challenge!
💡 You want to create your own DOJO and publish it? Send us a message on Twitter!
WINNERS!
We are glad to announce the #14 DOJO Challenge winners list.
3 BEST WRITE-UP REPORTS
- The best writeups reports were submitted by: Dtql, Brumens and s3asarv3sh
Subscribe to our Twitter or Linkedin feeds to be notified of the upcoming challenges.
Read on to find the best write-up as well as the challenge author’s recommendations.
The challenge
We all know how prototype works, but, is this really a proto here?
We asked you to produce a qualified write-up report explaining the logic allowing such exploitation. This write-up serves two purposes:
- Ensure no copy-paste would occur.
- Determine the contestant ability to properly describe a vulnerability and its vectors inside a professionally redacted report. This capacity gives us invaluable hints on your own, unique, talent as a bug hunter.
BEST WRITE-UP REPORT
Brumens‘sreport was well detailed and really useful to understand the logic of this challenge. All the steps are clearly explained and it’s very useful for everyone to understand how he went about solving this DOJO.
The others reports, notably Dtql‘s and s3asarv3sh‘s were also very nice, we’re sorry can’t publish them all because that’s where you clearly witness the outstanding creativity of our community.
Thank you all for playing with us!
Brumens‘s Write-Up
————– START OF Brumens REPORT ——————
Description
An Cross site scripting (XSS) [1] was located inside https://dojo-yeswehack.com/Playground#{token}. The Javascript [2] that was running on the page generated a flag that was hidden.
Inside the Javascript code there was an IF statment [3] with the task of printing out the flag to the page.
The IF statment will only run if the variable [4] “showFlag” had been defined [4]. The Javascript code had not defined the variable “showFlag” before running the IF statment because it didn’t define the variable the IF statment wasen’t executed. This method keeped the flag hidden.
The user has the ability to input a value into the “showFlag” variable by using the parameter “config“. The user can also execute Javascript by inserting a semicolon (;) that ends the value of “config” and gives the advantage to craft custom Javascript code to gather the hidden flag. However the variable “showFlag” was declared by the original Javascript code before the IF statment and user input was executed.
The problem is that Javascript has a process that allocates memory for variable and function declarations prior to execution of the code. This means that Javascript has the “showFlag” variable in it’s memory by it’s default value (“undefined“). This refers to Hoisting [5] which creates a vulnerability inside the Javascript code. This is because the user is able to define the variable “showFlag” into a function that will set “showFlag” to the default value of a function. When Javascript makes it’s Hoisting process the IF statment will execute and expose the hidden flag to the user.
Exploitation
The vulnerability is possible because Javascript’s Hoisting prior to execution of the code.