Cool Name Effect

Challenge Information

• Category: Web Security

• Level: easy

• Points: 50

description

Webmaster developed a simple script to do cool effects on your name, but his code not filtering the inputs correctly execute JavaScript alert and prove it.

Solution

after access the lab we open it we try to type any special character like (<,>,(,),etc.) see if there is any filter or not

now let's go to see source code to check is the filtering process available or not?

okay we two good findings but we'll focus on line 25 because it's start with eval() function this mean this line is obfuscated and I'll use this site to deobfuscated

well , i already review this function and found weakness point in this function

okay , I'll explain what this function do

var legacyAlert = alert;
var newAlert = function() { ... }; // to save the same functionality of alert in legacyalert

var z = ['y', 'o', 'u', 'r', ' ', 'f', 'l', 'a', 'g', ' ', 'i', 's', ':']; // array of character (c-string ) contain (your flag is :)

var f = ([]["fill"] + "")[3];
f += ([false] + undefined)[10];
f += (NaN + [Infinity])[10];
f += (NaN + [Infinity])[10];
f += (+211) + "")[3];
f += (+35) ; //this lines make variable called f and every line updates it value by unexpected values

well to this value (unexpected values) , i'll use online interpreter and makes is to print this value by console.log() function

var z = ['y', 'o', 'u', 'r', ' ', 'f', 'l', 'a', 'g', ' ', 'i', 's', ':'];
var f = ([]["fill"] + "")[3];
f += ([false] + undefined)[10];
f += (NaN + [Infinity])[10];
f += (+(211))["to" + String["name"]](31)[1];
f += ([]["entries"]() + "")[3];
f += (+(35))["to" + String["name"]](36);
console.log(z.join('') + f)

and you will get output (this is flag )

flag