The #18th DOJO CHALLENGE is the second version of DOJO #15th. Version 2.0 offers new security levels simulating the behavior of a web application firewall in order to execute JavaScript code in an arbitrary way.
💡 You want to create your own DOJO and publish it? Send us a message on Twitter!
WINNERS!
We are glad to announce the #18 DOJO Challenge winners list.
3 BEST WRITE-UP REPORTS
- The best write-ups reports were submitted by:_Yo0x, parsely and kacihmd! Congrats 🥳
Subscribe to our Twitter and/or Linkedin feeds to be notified of the upcoming challenges.
Read on to find the best write-up as well as the challenge author’s recommendations.
The challenge
Web application firewall bypass v2.0…
We asked you to produce a qualified write-up report explaining the logic allowing such exploitation. This write-up serves two purposes:
- Ensure no copy-paste would occur.
- Determine the contestant ability to properly describe a vulnerability and its vectors inside a professionally redacted report. This capacity gives us invaluable hints on your own, unique, talent as a bug hunter.
BEST WRITE-UP REPORT
We received a large number of reports and all of them were detailed, well explained… However, we had to make a selection of the best ones. These challenges allow to see that there are almost as many different solutions… as long as there is creativity! 😉
Thanks again for all your submissions and thanks for playing with us!
_Yo0x’s Write-Up
————– START OF _Yo0x REPORT ——————
Description
Dom Based XSS is a vulnerability that allow an attacker to execute javascript as a result of modifying the DOM “environment” in the victim’s browser. The attacker can use this XSS to execute arbritrary java script code to steal user information. Generally the XSS are used to steal session cookies.
The goal of this challenge is to manipulate the DOM in order to bypass firewall warning.
To do this we have to inject javascript and make system.Running continue run the program fsociety00.dat without warning.
Exploitation
- Here is the code source of this challenge: