eligrey/challenge.js

## challenge.js
// @ts-nocheck

//
//  User-initiated click isTrusted attestation challenge:
//
//   Secure this 'click' event listener from synthetic clicks
//   while working in a prototype pollution superfund site.
//
//   addEventListener() has been been backdoored.
//
//   Good luck!
//

// Secure references for backdoor
const apply = Function.prototype.call.bind(Function.prototype.apply);
const create = Object.create.bind(Object);
const { addEventListener } = EventTarget.prototype;
const { MouseEvent } = self;

// Backdoor addEventListener
EventTarget.prototype.addEventListener = function () {
  const [type, listener] = arguments;
  // Hijack click listeners
  if (type === 'click') {
    const props = {};
    const click = new MouseEvent('click');
    // Clone and flatten all enumerable properties in prototype chain
    for (const prop in click) {
      props[prop] = { value: click[prop] };
    }
    // Spoof event.isTrusted
    props.isTrusted = { value: true };
    // Create fake user-initiated click with MouseEvent prototype chain
    const fakeClick = create(click, props);
    listener(fakeClick);
  }
  // Pass-through to real addEventListener
  return apply(addEventListener, this, arguments);
};

// Backdoor `instanceof MouseEvent`
const MouseEventHasInstance = Object.getOwnPropertyDescriptor(MouseEvent, Symbol.hasInstance);
if (!MouseEventHasInstance || MouseEventHasInstance.configurable) {
  Object.defineProperty(MouseEvent, Symbol.hasInstance, {
    value: () => true
  });
}

// Backdoor `event.type` getter
const getType = Object.getOwnPropertyDescriptor(Event.prototype, 'type').get;
Object.defineProperty(Event.prototype, 'type', {
  get() {
    return Object.getOwnPropertyDescriptor(this, 'type')?.value || getType.call(this);
  }
});

// SOLUTION
// Fix this function without changing code outside of the solution block
const isUserInitiatedClick = (event) => {
  try {
    return (
      event instanceof MouseEvent &&
      event.type === 'click' &&
      event.isTrusted
    );
  } catch (ex) {
    return false;
  }
};
// END SOLUTION

const secret = '[secret value]';
const reciever = (data) => {
  console.log('Secret recieved:', data);
};

const container = document.querySelector('ul.nav') || document.body;
const button = container.querySelector('button.challenge-button') || container.appendChild(document.createElement('button'));
button.classList.add('challenge-button');
if (!button.textContent) {
  button.append('Share secret (real clicks only!)');
}

// Clear any event listeners on button
const clone = button.cloneNode(true);
button.replaceWith(clone);

// Listen for button clicks
clone.addEventListener('click', (event) => {
  if (isUserInitiatedClick(event)) {
    console.log('Click trusted:', event);
    reciever(secret);
  } else {
    console.error('Detected fake click:', event);
  }
});
	// @ts-nocheck

	//
	// User-initiated click isTrusted attestation challenge:
	//
	// Secure this 'click' event listener from synthetic clicks
	// while working in a prototype pollution superfund site.
	//
	// addEventListener() has been been backdoored.
	//
	// Good luck!
	//

	// Secure references for backdoor
	const apply = Function.prototype.call.bind(Function.prototype.apply);
	const create = Object.create.bind(Object);
	const { addEventListener } = EventTarget.prototype;
	const { MouseEvent } = self;

	// Backdoor addEventListener
	EventTarget.prototype.addEventListener = function () {
	const [type, listener] = arguments;
	// Hijack click listeners
	if (type === 'click') {
	const props = {};
	const click = new MouseEvent('click');
	// Clone and flatten all enumerable properties in prototype chain
	for (const prop in click) {
	props[prop] = { value: click[prop] };
	}
	// Spoof event.isTrusted
	props.isTrusted = { value: true };
	// Create fake user-initiated click with MouseEvent prototype chain
	const fakeClick = create(click, props);
	listener(fakeClick);
	}
	// Pass-through to real addEventListener
	return apply(addEventListener, this, arguments);
	};

	// Backdoor `instanceof MouseEvent`
	const MouseEventHasInstance = Object.getOwnPropertyDescriptor(MouseEvent, Symbol.hasInstance);
	if (!MouseEventHasInstance \|\| MouseEventHasInstance.configurable) {
	Object.defineProperty(MouseEvent, Symbol.hasInstance, {
	value: () => true
	});
	}

	// Backdoor `event.type` getter
	const getType = Object.getOwnPropertyDescriptor(Event.prototype, 'type').get;
	Object.defineProperty(Event.prototype, 'type', {
	get() {
	return Object.getOwnPropertyDescriptor(this, 'type')?.value \|\| getType.call(this);
	}
	});

	// SOLUTION
	// Fix this function without changing code outside of the solution block
	const isUserInitiatedClick = (event) => {
	try {
	return (
	event instanceof MouseEvent &&
	event.type === 'click' &&
	event.isTrusted
	);
	} catch (ex) {
	return false;
	}
	};
	// END SOLUTION

	const secret = '[secret value]';
	const reciever = (data) => {
	console.log('Secret recieved:', data);
	};

	const container = document.querySelector('ul.nav') \|\| document.body;
	const button = container.querySelector('button.challenge-button') \|\| container.appendChild(document.createElement('button'));
	button.classList.add('challenge-button');
	if (!button.textContent) {
	button.append('Share secret (real clicks only!)');
	}

	// Clear any event listeners on button
	const clone = button.cloneNode(true);
	button.replaceWith(clone);

	// Listen for button clicks
	clone.addEventListener('click', (event) => {
	if (isUserInitiatedClick(event)) {
	console.log('Click trusted:', event);
	reciever(secret);
	} else {
	console.error('Detected fake click:', event);
	}
	});