Cracked Intigriti XSS Challenge 0223 by Dr. Leek
Challenge Walkthrough
So, I decided to hunt on Intigriti and fortunately, I found this exciting Challenge 0223 by Dr. Leek. Upon entering the challenge, there was a functionality to customize your NFT and upload your own background.
After uploading the background image, it was discovered that the website was utilizing the exif-js library to extract metadata from the image and then display it within the web application.
While examining the code at line 42, it appears that we have the ability to manage two variables: ‘strcol’ which refers to ‘DateTimeOriginal’, and ‘strval’ which pertains to ‘UserComment’, both of which are extracted from the uploaded image.
Looking at the source code on line: 53–55 it’s found that all of the fields (comment, owner, created at) has been rendered using DOMPurify.sanitize() so there's no chance we can inject our malicious payload to execute javascript but there's one field image name on line: 52 which is not getting sanitized.
As we know that imgObj is initially string and on line: 43 it gets parsed, therefore we can inject our own payload into any of strcol or strval variable to change the property imgName from within the JSON because if there are multiple properties of the same name javascript JSON.parse() tends to go for the last one and ignore the first one.
Payload: hamza","imgName":"<img src=x onerror=alert(document.domain)>"
After parsing the JSON using JSON.parse() we'll get:
Now, as we had build the roadmap for ourselves, let’s put it to the test. We can use exiftool to contaminate the image metadata (User Comment or Date/Time Original) by our xss payload. I decided to go for the user comment.
Exif Command To Inject XSS Payload:
$ exiftool -UserComment='test","imgName":"<img src=1 onerror=alert(document.domain)>' NFT.jpgThen after we upload our image to the website, and view the image, the temp.imgName will contain our payload which is then rendered inside HTML using namfield.innerHTML = "Image name: " + temp.imgName; as shown in the screenshot below:
Hence the payload we injected will pop an alert results in Dom-Based Cross-Site Scripting:
