Unicode Normalization and Cookie Path Precedence - Solution to February (Valentines) '24 Challenge
Vložit
- čas přidán 21. 07. 2024
- 🏆 The official writeup for the February '24 Challenge, which involves unicode normalisation (DOMPurify bypass), XSS and cookie manipulation (path precedence). We received 32 valid submissions (and 7 awesome writeups), many of which exploited an unintended race condition 👀 In this video, we'll breakdown the solution 🧠
Full blog/writeup: bugology.intigriti.io/intigri...
Follow @GoatSniff : / goatsniff
Solve the challenge: challenge-0224.intigriti.io
🧑💻 Sign up and start hacking right now - go.intigriti.com/register
🐱💻 Can't get enough of these challenges? - blog.intigriti.com/hackademy/...
👾 Join our Discord - go.intigriti.com/discord
🎙️ This show is hosted by / _cryptocat ( @_CryptoCat ) & / intigriti
👕 Do you want some Intigriti Swag? Check out swag.intigriti.com
00:00 Intro
00:45 Explore site functionality
04:24 Source code review
09:45 Attack plan
11:22 XSS via DOMPurify bypass (unicode normalisation bug)
15:32 Cookie manipulation (path precedence)
18:36 Bonus: unintended solution (race condition)
20:22 Summary
20:51 Conclusion
Amazing video, so cool challenge as always. Didnt know that cookie path precedence or seen it in the wild :(
Thanks! We loved this one as well, I believe GoatSniff got inspiration for the challenge from this talk: czcams.com/video/njQcVWPB1is/video.html - maybe he also found a similar bug before, not sure.
Great work!
Thank you! 💜
Awesome video! Great work!
🙏🥰
Super 🎉
dang, I am lost, need to rewatch the video
There's definitely a lot going on! Some great writeups here too: bugology.intigriti.io/intigriti-monthly-challenges/0224#community-writeups 🥰
Intigriti is my valentine
💜💜💜