Unicode Normalization and Cookie Path Precedence - Solution to February (Valentines) '24 Challenge

Sdílet
Vložit
  • čas přidán 21. 07. 2024
  • 🏆 The official writeup for the February '24 Challenge, which involves unicode normalisation (DOMPurify bypass), XSS and cookie manipulation (path precedence). We received 32 valid submissions (and 7 awesome writeups), many of which exploited an unintended race condition 👀 In this video, we'll breakdown the solution 🧠
    Full blog/writeup: bugology.intigriti.io/intigri...
    Follow ‪@GoatSniff‬ : / goatsniff
    Solve the challenge: challenge-0224.intigriti.io
    🧑💻 Sign up and start hacking right now - go.intigriti.com/register
    🐱💻 Can't get enough of these challenges? - blog.intigriti.com/hackademy/...
    👾 Join our Discord - go.intigriti.com/discord
    🎙️ This show is hosted by / _cryptocat ( ‪@_CryptoCat‬ ) & / intigriti
    👕 Do you want some Intigriti Swag? Check out swag.intigriti.com
    00:00 Intro
    00:45 Explore site functionality
    04:24 Source code review
    09:45 Attack plan
    11:22 XSS via DOMPurify bypass (unicode normalisation bug)
    15:32 Cookie manipulation (path precedence)
    18:36 Bonus: unintended solution (race condition)
    20:22 Summary
    20:51 Conclusion

Komentáře • 11

  • @user-cu3mp3lj8f
    @user-cu3mp3lj8f Před 4 měsíci +1

    Amazing video, so cool challenge as always. Didnt know that cookie path precedence or seen it in the wild :(

    • @intigriti
      @intigriti  Před 4 měsíci

      Thanks! We loved this one as well, I believe GoatSniff got inspiration for the challenge from this talk: czcams.com/video/njQcVWPB1is/video.html - maybe he also found a similar bug before, not sure.

  • @nop_i
    @nop_i Před 3 měsíci

    Great work!

  • @camelotenglishtuition6394
    @camelotenglishtuition6394 Před 5 měsíci

    Awesome video! Great work!

  • @KL-og8gg
    @KL-og8gg Před 5 měsíci

    dang, I am lost, need to rewatch the video

    • @intigriti
      @intigriti  Před 5 měsíci +1

      There's definitely a lot going on! Some great writeups here too: bugology.intigriti.io/intigriti-monthly-challenges/0224#community-writeups 🥰

  • @sassywoocooo
    @sassywoocooo Před 5 měsíci +1

    Intigriti is my valentine

Další v pořadí
Automatické přehrávání
DOM Clobbering, CSPP (axios) and XSS - Unintended Solutions to January '24 Challenge24:22DOM Clobbering, CSPP (axios) and XSS - Unintended Solutions to January '24 Challenge
DOM Clobbering, CSPP (axios) and XSS - Unintended Solutions to January '24 ChallengeIntigriti
zhlédnutí 1,1K
Aggressive Scanning in Bug Bounty (and how to avoid it)18:18Aggressive Scanning in Bug Bounty (and how to avoid it)
Aggressive Scanning in Bug Bounty (and how to avoid it)Intigriti
zhlédnutí 1,8K
Understanding Scope, Ethics and Code of Conduct (CoC)14:11Understanding Scope, Ethics and Code of Conduct (CoC)
Understanding Scope, Ethics and Code of Conduct (CoC)Intigriti
zhlédnutí 751
Bender - BEDNY UŽ NIKDY, TÝPEK NÁM VYHROŽOVAL V OBCHODĚ, UŽ SE NECHCI ZAVDĚČIT1:39:46Bender - BEDNY UŽ NIKDY, TÝPEK NÁM VYHROŽOVAL V OBCHODĚ, UŽ SE NECHCI ZAVDĚČIT
Bender - BEDNY UŽ NIKDY, TÝPEK NÁM VYHROŽOVAL V OBCHODĚ, UŽ SE NECHCI ZAVDĚČITVláďa Kadlec - EXPERIENCE
zhlédnutí 203K
Lady Plays Hide and Seek with Her Dog00:23Lady Plays Hide and Seek with Her Dog
Lady Plays Hide and Seek with Her DogViralSnare Rights Management
zhlédnutí 26M
MrBeast Balloon Pop Racing Gone WRONG!00:54MrBeast Balloon Pop Racing Gone WRONG!
MrBeast Balloon Pop Racing Gone WRONG!How Ridiculous
zhlédnutí 56M
Cool Items!🥰 New Gadgets, Smart Appliances, Kitchen Tools Utensils, Home Cleaning, Beauty #shorts00:18Cool Items!🥰 New Gadgets, Smart Appliances, Kitchen Tools Utensils, Home Cleaning, Beauty #shorts
Cool Items!🥰 New Gadgets, Smart Appliances, Kitchen Tools Utensils, Home Cleaning, Beauty #shortsCool Items Official
zhlédnutí 56M
Introduction to GraphQL Attacks18:50Introduction to GraphQL Attacks
Introduction to GraphQL AttacksIntigriti
zhlédnutí 1,6K
Learn Nuclei in 30 minutes - DEF CON Nuclei Demo35:48Learn Nuclei in 30 minutes - DEF CON Nuclei Demo
Learn Nuclei in 30 minutes - DEF CON Nuclei DemoProjectDiscovery
zhlédnutí 8K
One second to compute the largest Fibonacci number I can25:55One second to compute the largest Fibonacci number I can
One second to compute the largest Fibonacci number I canSheafification of G
zhlédnutí 75K
Common Scoping Mistakes24:30Common Scoping Mistakes
Common Scoping MistakesIntigriti
zhlédnutí 750
Finally! HOW TO solve the INTIGRITI Easter XSS challenge using only Chrome DEVTOOLS!42:10Finally! HOW TO solve the INTIGRITI Easter XSS challenge using only Chrome DEVTOOLS!
Finally! HOW TO solve the INTIGRITI Easter XSS challenge using only Chrome DEVTOOLS!STÖK
zhlédnutí 52K
Black Hat Bash: Bash Scripting for Hackers and Pentesters (Bonus: GraphQL and Drone hacking)1:40:11Black Hat Bash: Bash Scripting for Hackers and Pentesters (Bonus: GraphQL and Drone hacking)
Black Hat Bash: Bash Scripting for Hackers and Pentesters (Bonus: GraphQL and Drone hacking)David Bombal
zhlédnutí 58K
making a game in zig (i have never used zig) LIVE!6:14:43making a game in zig (i have never used zig) LIVE!
making a game in zig (i have never used zig) LIVE!jdh
zhlédnutí 82K
How Hackers Bypass Kernel Anti Cheat19:38How Hackers Bypass Kernel Anti Cheat
How Hackers Bypass Kernel Anti CheatRyscu
zhlédnutí 536K
Finding and Exploiting an Unused API Endpoint7:10Finding and Exploiting an Unused API Endpoint
Finding and Exploiting an Unused API EndpointIntigriti
zhlédnutí 4,6K
ZKOUŠIME MYSTERY OBJEDNÁVKU Z McDONALDU 😅01:00ZKOUŠIME MYSTERY OBJEDNÁVKU Z McDONALDU 😅
ZKOUŠIME MYSTERY OBJEDNÁVKU Z McDONALDU 😅Stejk
zhlédnutí 313K
ANATOLY Use FAKE WEIGHTS in GYM PRANK #anatoly #fitness #gym00:58ANATOLY Use FAKE WEIGHTS in GYM PRANK #anatoly #fitness #gym
ANATOLY Use FAKE WEIGHTS in GYM PRANK #anatoly #fitness #gymANATOLY
zhlédnutí 19M
Policie ČR si vždycky poradí 👮🏻‍♂️ #selixinho00:49Policie ČR si vždycky poradí 👮🏻‍♂️ #selixinho
Policie ČR si vždycky poradí 👮🏻‍♂️ #selixinhoSelixinho
zhlédnutí 99K
Growing An Ear In Your Arm 😨00:30Growing An Ear In Your Arm 😨
Growing An Ear In Your Arm 😨Zack D. Films
zhlédnutí 18M
#JasonDeruloTV // Lottery #GotPermissionToPost From @prestige_et_collection #FromTheIslands00:17#JasonDeruloTV // Lottery #GotPermissionToPost From @prestige_et_collection #FromTheIslands
#JasonDeruloTV // Lottery #GotPermissionToPost From @prestige_et_collection #FromTheIslandsJason Derulo
zhlédnutí 39M
35M Subscriber Moment Almost Here🎉❤️ Supported by Korean creators🇰🇷🤝🇯🇵00:3235M Subscriber Moment Almost Here🎉❤️ Supported by Korean creators🇰🇷🤝🇯🇵
35M Subscriber Moment Almost Here🎉❤️ Supported by Korean creators🇰🇷🤝🇯🇵ISSEI / いっせい
zhlédnutí 64M
Playing hide and seek with my dog 🐶00:25Playing hide and seek with my dog 🐶
Playing hide and seek with my dog 🐶Zach King
zhlédnutí 30M
Survival Skills: Amazing Basket for Extreme Conditions. #survival #camping #bushcraft #lifehacks00:26Survival Skills: Amazing Basket for Extreme Conditions. #survival #camping #bushcraft #lifehacks
Survival Skills: Amazing Basket for Extreme Conditions. #survival #camping #bushcraft #lifehacksSergio Outdoors
zhlédnutí 79M