Cracked XSS — Challenge 0223 by Dr. Leek

So, I decided to hunt on Intigriti and fortunately, I found this exciting Challenge 0223 by Dr. Leek. Upon entering the challenge, there was a functionality to customize your NFT and upload your own background.

After uploading the background, it was discovered that the website was using exif-js library to extract metadata from images and render it in the web application.

After looking at the code on line: 42 it seems like we can control two variables strcol (DateTimeOriginal) and strval which is used for UserComment extracted from the image.

Looking at the source code on line: 53–55 it’s found that all of the fields (comment, owner, created at) has been rendered using DOMPurify.sanitize() so there's no chance we can inject our malicious payload to execute javascript but there's one field image name on line: 52 which is not getting sanitized.

As we know that imgObj is initially string and on line: 43 it gets parsed, therefore we can inject our own payload into any of strcol or strval variable to change the property imgName from within the JSON because if there are multiple properties of the same name javascript JSON.parse() tends to go for the last one and ignore the first one.

Payload: hamza","imgName":"<img src=x onerror=alert(document.domain)>"

After parsing the JSON using JSON.parse() we'll get:

Now, as we had build the roadmap for ourselves, let’s put it to the test. We can use exiftool it to contaminate the image metadata (User Comment or Date/Time Original) by our xss payload. I decided to go for the user comment.

Exif Command To Inject XSS Payload:

Then after we upload our image to the website, and view the image, the temp.imgName will contain our payload which is then rendered inside HTML using namfield.innerHTML = "Image name: " + temp.imgName; as shown in the screenshot below:

Hence the payload we injected will pop an alert results in Dom-Based Cross-Site Scripting: