 Scratch, speed run, what do I do? Rotation mark, plus alert, plus, and then alert one, and then plus rotation. Same level. Everything you say is going to be awesome YouTube publicly. Alright, what else? I forgot. Oh yeah, backslash, forward, is it, yeah backslash? Forward slash? Backslash, yeah backslash, and quote, or double quote. It's double quote. Yeah, so backslash doubles quote, and then parentheses, colon, alert one, colon, forward slash forward slash, and 15 characters. That's crazy. You don't need the second one. Oh, do I not need the second one? Come on, I'll, sorry guys. This is my first time. Jason, can you close off the script tag? This one you have to use, oh yeah, no go ahead. Close off the script tag, then make a new script tag, alert one, and then comment it out, slash slash. Alert A. Java script. Percent 22 plus alert one, percent 22. No, plus, plus after alert one. How does this work? So, percent 22 is just closing the tag. Yeah, it's at SP. Was it called stringify on it? I think Ryan found it. It was like one error. So first you start with two left brackets, then you do any character decay, then you do a type, type, type, type, type. And then you do HTTP colon dash dash, slash slash, slash slash. And then you do on error, one word, equals, alert one, and you end it with two right brackets. Nice. Yeah, this one, it took me so long because I was doing it the other way around. I was doing the HTTP and then doing the image tag inside of it and then I could not get it to work. And then that was when I was here that day, that was about two weeks ago, and then I went home and I was like, oh you should switch them around. So I went and stopped making dinner right now. Oh, hey. This one I want to photograph. Oh yeah, I got this from Andrew. So Andrew, oh, because he sent the thing out on the shelf which made the list. You guys are going to do this. Nice. So yeah, I stole it from him. Yeah, this sort of thing I think would be cool, friendly competition to build up the skill level and then I apologize, professor. All right, Dom. That's the first time. I sit like that all the time. He's never said anything to me. But you're not a professor. Yeah, I'm just twice as old as the professor. He just only had an upper. That's true. Anyone want to solve Dom? Did we solve Dom? Yeah. How are you going? So comments with an uppercase C and then hash and then gray. And then hash and then greater than than a script tag. Then alert one and then a closed script tag. So explain it to me. What's going on? Somewhere in there it's creating a comment in that a dot append child. And then we're closing the comments out with that extra greater than symbol. It didn't work though. It works on my browser. No, you need a greater than right after the, yeah, right there. Yeah, you have a comment. Oh, it's common. So what is it? Create a comment. There you go. And then greater than right after the hash. Yeah. There it goes. Okay. What is common? It's basically we're closing out the comment tag and then we're injecting our script. Where does the comment come from? So the third to last line has the a dot append child document creates. So it adds the create and then the comment which is the thing before the hash. So it creates a comment and then the next character is closing out the comments and then adding the script. Can you do like document that creates script or something? Does that exist? I looked for something like that but it didn't work out. I don't remember why. It's only if we call it create body or create its body and create comment and something else. All right. All right. Call back. Quotes hash quote semi-colon alert one. Wait a minute. Quote hash double quotes we're talking about. Just single quote on both. So single quote hash single quote semi-colon and then alert one and then slash. Actually found. Yeah. This is what we were doing. I was doing some test with Giovanni. I found the cross side scripting that was like this. It was in JSON. So I had to escape it like this. Well, that's turning it in. Yeah. Turning it into a dictionary slash object or whatever. Trying to do it in JSON. Wait a minute. Yeah. Will you throw them to a very bottom? You can hit all of your own. No, I see. You're actually creating a man. He's on the Android one. Dico CTF by himself. No. Yeah. Like get a prize or anything. But it's first on the scoreboard. Thanks. Can we do this one? Scandia. I did all three scandias with the exact same thing. Okay. Which is complicated. It's 1200 characters long. So on the first one it's definitely not good. I don't know. Yeah. I know. That was the ring. Yeah. The JSF. Yeah, the JSF. What's JSF in there? Why does this not work? What's the uppercase work? It's this. It's this. So you go to this website. Do you do anything in JavaScript with six characters? So you put an alert one as that. Interesting. Yeah. That is awesome. A compiler for JavaScript that doesn't use any. It only uses those. Yeah, that's incredible. Just this weird work in JavaScript. Because there's something about. Ah. Yeah. Because something is equivalent to like a blank line or something. Well, because you can still do script tags in there. Can't you? Because it's not working because the JavaScript's uppercase. But can't you do another tag that would execute the JavaScript like we did with the on-air one? I don't know. But the text that you put in that on-air handler would only uppercase. They still couldn't call alert. That is awesome. Okay. So you put this in there. Wait, what did you do for that? Jesus fuck. I did not know about that. Oh, here. Symbols might be working. Because it's all symbols. I can't find the 27,000. Yeah. And I think about 30,000 or so actually had libraries. Or binaries. And none of them. Yeah, so this is how it works. That's awesome. So how does it get alert? So you go like this. So this gives you false. And then you can get numbers with plus. So that's one. Oh, there we go. Okay. But how do you... So you can call dot on that. And so you can say dot. So you can call any function of the strings last. Yeah, but you can't because of the uppercase. Right, exactly. So you have to actually put, exactly. So this is like alert one. And then it does it all. Actually run that. That's incredible. So this one should be easy then. It's just... It's exactly what he has in Slack. So it's double quote and then all this stuff. Yeah. That's a shorter way to do this. Yeah. Well, that's way more than the 35 that they have. But it works for all three. So it's generic. Someone did it with 3,000. You can go even longer. 35. So I kind of cheated. If you look at it, read me. I don't hear it. I don't know. I didn't know. Can you... Maybe you can call two lowercase with symbols. And then it's shorter. But you can't call two lowercase. Oh, with that, I see what you're saying. Yeah. You need the print. Because can you... Can you do something where you look out of the window? How does it work in JavaScript? Can you look out of like... If I hadn't lost my laptop, like... You lost it? I lost it outside of his house. What? I just... I sat it down on the ground and I walked away. Is it a rough neighborhood or what? This morning. I hope it's not a rough neighborhood. It might still be there, hopefully. Oh, like you left it outside and then left? Yeah, and then I forgot about it. I took a lift here. I walked out. Wait a second. Where's my laptop? It's all part of the... Pacing process? Yeah, the aloof persona, like professor persona, you know? It would be good. This candy is hard. Yeah, but if you... Yeah, so it's probably better. There's definitely... If you can... Because this is optimized to not do any of this, not use any non-upper case characters. Can you dress using... Or index using integers into like the properties whatever dict in JavaScript? Didn't we do what? Yeah, that's done. We just did it today. Yeah, I remember I did it last week. So there's got to be a way to turn... Because we want to get a reference to double quote dot... To the lower, right? That's what I was going to put inside. Type quote? Oh, so what you can do is you can write it in there and also on the outside there. Wait. Alright. Maybe that's... Maybe that's a character code you could use. So you want to make it pop up there? Why not? Yeah. It still needs to be parsed. Like the alert fail, ERT needs to be... Yeah. Can we un-escape something using an operator? Like, can we un-escape a string in JavaScript using an operator? Maybe. What we're going to do with any character, the problem is everything that we put in is going to be uppercase. Yes. But if you can put in %41 or %61 and then try to un-escape that. Yeah, with that function. Unescaping. Yeah, exactly. Any sort of the name is going to be hell on the... Is that called JavaScript? Any of you guys know? How to decode... If we can decode using an operator? I have no idea. I think this is what we want to decode. This may be... To try it. Try it with backslash x. That might be okay for a catbook. Oh, but it's supposed to be not only you. I think it's going to mess it up. Well, but try backslash x 61. JavaScript is the text. I mean, it's C and Python, maybe. I'm just saying that JavaScript... What happens when you subtract a... I think it's going to call another function that... Yeah, it'll edit it out and post. You can start bleeping the heck meaning. Yeah, because there can't be any cursing on the internet. But look, yeah, backslash x. So it's just the fact that it's an output case x. Backslash... Yeah, there you go. Yeah. You see, when we add AD Mario over here we actually add WebDun. What are we going to... All we need to... Just alert it often. No, no, because it's going to log it. It's a string that we're logging. Right? What? So... But you have to close it. So I know we're closing it. Right, and then we can comment afterwards. Now if I do like 011 this is an escape inside of a JavaScript string. We need it. We can get the string alert, but we need an object to actually call... Oh, no, what if... Function. We can use the JS to get function. Well, what if we used... Would the tag inside the thing work? Because the tag calls the JavaScript function. Yeah, like the on-air. It calls it... With a script tag. With a capital script. Yes. That's HTML tag, though. I mean... I don't think it'll work, but let's see. That's fine. Why can't you escape it? Why can't you escape the on-air? The on-air is fine. No, no, they're both fine. Oh, is that okay? Because HTML doesn't care about the case. But the problem is... So like... What's the word? Zero. What's the word? A. Does anybody even memorize the octal table? I'll get to it right after I have the hex one. Wait, why'd you do 150? A-L. Now the big question is... What's this unaffected token? I'm not sure if it'll... Oh, oh, oh. Well, it's not... Yeah. Don't you need another script tag, though? Close it up. So here's what I think should be fine, though. Okay, it wouldn't need to close. Or open it. Yeah, the on-air... This isn't getting parsed by... So I think what you need to do is set this to a variable and then call that variable. No, no. And about that variable... Yeah, you can call it... You know, we could do that already. We're already inside JavaScript. Yeah. That's what I was saying, that the on-air... It's probably not necessary. And that works. Yeah. But... Oh, Adam, you got it. Yeah. I can show you up here. Yeah. I used... It's called HTML-ing. American HTML-ing to be used then. I can shrink it. Oh, God. Okay, because it does HTML. So I... It said use the pound sign... Yes. In HTML, you can use this. So... In source... A... The on-air... In HTML, you can do... How's the ampersand, and then... Excellent. Do the ass on here. Oh! Yeah. Oh, now they're getting to that. I tried that on, like, ampersand. Several of the other ones. I don't know if that is easier. No, I just... There's got to be a faster way to trigger it without using on-air and such, you know? It won't go away now. I'm going to have, like, three days. Because you're already in a script app, so you can do eval with the JSVoc stuff. Or that would ask you more of a question. Do you have the JSVoc? Yeah, I started it open. Do you see what eval is? Eval is on the basics that you get on. I was wondering what the score was. Oh, no, eval is hard to get. Do you need the semicolons? Yes. So you need X in front of the numbers? Uh... Like this? Yes. When? When and how many characters? 78. 78? That guy got 35. Do we think we can do better? Probably without the on-air. Do some better. Do we need the script to be on there? Is there another tag where we wouldn't need the source equals? Is there another tag where we wouldn't need the source equals X, because that's just taken up space? Do you need the source equals? It's on-air or fire without? On-air is the... I think it's the most general. I think with an a tag, you need somebody to click on it. You need some user action. That's why image is the best for the on-air. You can force an error by having it get an on-air. What you can do if you have another tag that you're loading into, you can put an on-mouseover tag, and then use style sheets to make that element as big as the entire page. But that would be off your element here, which I don't think they do. That is if you're doing it for real. That's the way you do attribute cross-excripting and make it always trigger. It definitely won't do the HTML rendering inside the script tag. I don't know. I guess we can check. I'm fairly confident it won't. Harder saying it. The slash use or the slash the optimal characters would work for a JavaScript string. So if we could call it eval function, how hard was it to get? Eval was hard. Yeah. Function... Wait, can you just close that console? Can you just do the alert one just like that? The console? Well, see how it's console.log. Up there is your intro tag in the script. Could you just do a closing parent and then a semicolon and then do those characters? That's the same thing we're doing here, right? The problem is this is not JavaScript. This is HTML encoding, so when it's parsing everything that's not inside of the HTML, that's what it uses. But because here this is a... So everything between the script tag, the browser engine is parsing it according to the JavaScript language. We did good. We did better. Yeah, 78s. Yeah, that puts us to the top. 76. This is the top-ish. Okay, cool. Tablet? Slightly more complicated. Make your own... Won't you get the high enough level? Maybe solve this yet or not? I solved it, but I'm not entirely sure why it's working. I kind of guessed. Okay, let's... Flag's a flag, man. It seems like it doesn't make sense why it's working. We need to know why. Are you figuring out why it's working? If you can explain it to us, then I would tell us. Otherwise, we could just read a walkthrough. Have somebody who can explain it. Sometimes the walkthroughs do not count as explaining it. They say, hey, we did this, and we magically came up with this huge string to show up to the wall. Did you see it by Twitter or write up for the crazy confidence vulnerable? No. 140 characters to write up. Thanks. I don't think it counts as explaining it. No. Okay, keep thinking about it, talking about it. I'm just looking at the recording and everything that shows up on the screen and you're displaying it to all the students. So we won't tell them just go to the second screen. Did you guys just do that at UCSB? Or do you encourage them? Like attack each other? Yeah. If you leave it unlocked? Yeah, it's boring. It's absurd. We didn't use to and then I started on the lab and then I'm a very mischievous person. We used to do, you can't do it anymore. We used to take the mouse ball out of the mine. So people, you know, non-technical people would just be freaking out because the mouse wouldn't work. I once performed a mouse injection attack on a front of mine. I hope I've been a wireless mouse. And then just every once in a while it was illegal to have an extra mouse into my name. He was going crazy. He'd be showing subjects into your body and then it's a mouse that's starting to blink. And then it just chokes to the bone. I was just trying to, like, bring glasses for about a few years and a half. What? What was his desktop? Yeah, it was just, like, in a bunch of wires. Somebody who wants to be... So do we have any ideas, guys, about this? Escaping all of the fun characters. That's a good point. It looks like it's also escaping HTML-encoded stuff for my non-sync quotes. What about what we just tried? Oh, no, you can't. Yeah, and we can't use the HTML encoder needed for the last one because they encode ampersand. We do have slashes. Oh, yeah. Optal works. I mean, what... So if you do... Backslash, like, 141 is an A. If you look in the test frame... If I what? If you scroll down a little bit? Scroll down, how do I do it? Yeah, right there. Okay. But it doesn't... Oh, is that how I can get the... But can you get a single quote like that, or will it not? Yeah, I'm sure. No, if you can get a bracket through... I don't need that. Don't blame me. So, we want to get the... Scroll up, that's hex, we want. 047? Yeah. There we go. No, 075. That's the still hex, we got to go... 074. Yeah, 074. 074, yeah. 074, what if we close... Just try A with a closed bracket, because A itself won't be... Escaped. Need to be escaped. And then the closed bracket... Yeah, I was saying the A, yeah, just make it an 8. An anchor tag just to see if it works. 057, an anchor tag, not a close. Yeah, do that, you got to close it at least. Yeah, close it. Yeah, there you go. Oh, yeah, that's working. Nice. Done. Yeah. And then the A is 740, what was it? Well, you don't even have to do that, just type it. A doesn't get escaped. Yeah, we have it. Yeah, we have it, but I'm not understanding what... Hold on. Well, first, you only have to escape the ones that are being escaped. Oh, I see what I'm saying. Yes. Just type in... Also... Okay, so we closed the link, and then... Well, no, that didn't close the link, did it? Yeah. Oh, inter-HTML, yeah, so that will be interpreted by the browser engine. So that's going to then be parsed by the browser. Yeah. Whatever is inside that string. Well, I saw the A at the very beginning and thought that the A was on the outside. Also, you have an X in there. And another A. Oh, the X is... Okay, so that... Yes, awesome. Okay, that's why I think they're putting it out. Okay, so we closed the... Dad! I mean, messing up. And then we just do a script. Is that the fastest? Do you think? I think it's 0. That's the... That's on there. That's the slash. Over-slash? No, no. Do you know the books? What's the 74? Why do you have that A at the start? No, that was just a test. Yeah. Let's see what ended up in here. Why is it not showing you? Because you need the H2. We just put in the H2, and the H2 goes on. The CR-IPT? Yeah. You could try the image on air. Yeah. I don't know if it matters. You may need to close the A. Wait, what? Or start a new A tag after it. Because there's a closing A tag? No, but after the script is closed, then it should matter. Yeah. Yeah. No? No. Not at the end of the script tag. So you have to refresh the page? No. I don't think so. There's differences. Setting A to HTML. I think you need the image tag. 0.47? Yeah. 0.47? Lower my A in there. I wish we didn't need the source equal A. Oh, you know what? Does I think the source equal work? Yeah. You may not need the slash 0.47 to try that. Oh, yeah, just made up. You might be able to do it also with an SVG tag. I'm looking at the OWASCH cheat sheet. Oh, yeah. And let's, yeah, it looks like it's a open or greater than, or less than, than SVG, then forward slash on air, no space on air equals whatever your thing is, and then close SVG. Yes. Oh. It's so low. Yeah. Yeah. And then close SVG. And then, yeah. That is a close. No, we need a close SVG tag? No, not a close SVG tag, like a greater than sign. Is it greater than? No, not even a slash, just a. Why isn't it? So this is what we ended up with. That may be browser specific though, does it say? No, it doesn't. Look at our test iPhone though, a lot of these cheat sheets. Yeah. We don't use all the, like it's saying. I mean, it does, it says to use. Why do you need the slash? To cause an error, I think. Oh. So maybe a space. No, well, because they use on load instead of on air. But I don't know if on load, or on load work. Because on load. Yeah, they use on load. So here's what happened. Oh, the forward. Forward slash got. Yeah. They got parsed. So just try on load. What do you think of the forward slash? Before the tag, I'm closing A. So it goes A, open A, close A. I guess we don't need to close A, right? So the course is open. Yeah. Exactly. We don't. We can have a sub. What? Sorry. When they looked up the html, the forward slash. Yeah, they said it parsed it. Try, maybe try doing the actual forward slash in on load. We'll just take the slash into a space. Yeah. We can use spaces here. It could be because we're doing that. Because we'll ignore it. The parsing engine. When do you need single quotes around the on load event? Oh, wait. We decided on load didn't work. Change it to on air. Yeah. Quick. No, I didn't. On air. No, we had the before. Well, yeah, but we wanted to see. Oh, yeah. Well, it's 28 characters. Is that the... Yeah. Nice. We can change that to an image tag. I think we should be good. But it will get a little bit more. But yeah, if we just do image. What if we do image on load? No, you can't do on load on an image tag. We can go ahead and prove it to yourself. All right. That's my question. What? I mean, you know, just for your benefit. But then we're back to this. Yeah, that's 34 characters. That's much better than we were. Yeah. Because we didn't know long your closing date. What browser is mob? Is that mobile? I don't know. Mozilla? MOB? I don't know why. It's the mafia. Mozilla browser? Okay. I think we're pretty good. We're in like the top 20. Happy. Yeah, I'm happy with it. Next. You go up to the top and then you select JSON2. You don't need the zeros before like 76. That's a good point. Gosh, y'all. Man, I need that one up. Boom, 32. Wow. You need a source name. What if you just had source? For some reason, you also don't need that closing tag. The slash 76. It works on my browser. I guess you do need a browser. I want Chrome version. You did it in 27 then? Yeah, it should. Just get rid of them and put a space. Space backslash? Yeah. Space 28. Look at what it does. Without that space, that's like part of here. With that space, the parser is basically fixing your broken HTML. It's closing A so it goes, oh, this must close that. That's nice. That's 28. That's going to be top 10. That is top top 2. 26 now. Now we just need the 26. Probably a different attack approach. Yeah, I don't see what we're going to move from here. Can you cause an on-air with something other than a source? Like an S. What happens if you just do S? Because the source, having just the source, so this is a valid way to do it. So it's basically specifying no source, which is causing it. Is there an event this short? I don't think it's not one that triggers automatically. How low does it trigger on an image? Only body and a few other tags. Yeah. Yeah, like 20 is. Yeah. Oh, this is super easy. Yeah, we did. Go back to JSON, the first, the third. So you see this one? Right? So, yeah. So take that and then let's try it on this next one to see if it does. It's definitely not going to work. Because it's getting rid of the closing script. The closing script. Yeah, you can see the replace. It's replacing that. Wait, just change the slash to 76? Yeah. Oh, it also escaped the slash. And I guess this does. It does JSON stringify. Yeah, so it's turning that. But what do we know? Did we talk about this? Oh, maybe not. It's filtering. Yeah, exactly. It's only replaced once. So what can we do? Put it on the inside. And then put the thing we want on the outside. Yeah. Actually, you have to type out. There you go. You just did it. Go back. No, delete one character. See? Because that's the thing that it's gripping for. So this is if you do a single grip, right? It's literally doing your work for you. So you put the character that's not unwanted or the character sequence that's unwanted in the thing that you want. And so. Oh, it removes it. Exactly. Yes. It's a common trick. Yeah, these are the sort of things that I've never saw. Yes. But this is like a class. That's like a classic filtering bypass. If you are not doing like remove all instances and do it in a loop. If you're only removing one, this is a classic bypass. Same thing with seagull injections, all kinds of stuff like that. Having it maximized to the script up, right? Maximize. I just maximized the problem. No. All right. So you want to click. Why don't we copy in the callback from callback warning? So this one actually works if you use an HTML comment instead of a JavaScript comment at the end? Yes. You know what the comment is? Why does that work? Because. Because HTML parsing happens before. So we just end up with a hanging script. Yeah. Why don't you right click on it? Or take us to the iframe so we can see how it parsed it. Yeah. No, this is it. Yeah, but how's it parsing it? How do you tell? You're over it. Yeah. It's the same with whatever that was. Wait, scroll back up to the top of the page. Is it still? I don't know. Maybe JavaScript comments are part of it. I thought this was the most. Yeah, no. Maybe it's part of JavaScript. The JavaScript engine. Maybe it's just. Oh, that's. Yeah. This is just not included. No, no, no. The end script tag is included. That's what I mean. It's not being parsed by the HTML parser. It's not. It would have a start comment here. Yeah. Or it would be like a comment in the DOM. There's no comment in the DOM. Oh, right. So it's still this ending script tag, but. So you can use to. So JavaScript reflects the HTML. So that must be what's going on. Because you used to have to write script tags. You used to have to start it with the beginning HTML comment and end it with the closing comment. Browser wouldn't support JavaScript. They would just display your code. So maybe that's all. Those are on the outside, though. Yeah. No, they're inside of the script tags. Because they're on the outside of the browser wouldn't parse the script tags. Your comment's out here. You won't get anything. I thought they were. They were scripted. And then starting the comment. And then you do a new line. And then you have your JavaScript code. And then you have the closing line. And then the closing line. Oh, you do a comment. You do a comment with the open. Yeah. No, I'm in a JavaScript comment. Good old code. It's magic. Also type first. I think at that point you can say you're in first place. First place. I frame. Keep this thing up. You should keep leaving more often. And then you keep solving stuff every time you leave. Really? Can we get a reference to top? Wait, how is it doing it? It's injecting. I guess 4i.am. Executes anything, right? Is that a natural thing? Yeah, it's got to be. View source. Right click. View source. So what happens if you put a script around it? If you spell it right? I think HTML is permissible enough. What is the 4i.am? Presumably their domain name. For some domain name they own. Sure. So we just get the reference to the top window and call that winning. What's the onload attribute that it's setting? Yeah. So it checks if u1 is set and then if it is, it calls a learning one. I'm trying to do the script tags. This is setting your script. Well if you type in something it puts you, like if you go into the input right there and just type something like hello and look down what it outputs, it puts you in between script tags. Yeah. Yes. I don't need the script tags. Okay, where's the tag frame coming? The very first line is tag equals document.createElementItemframes. Okay. Yeah. Hello. So do we just say learn one? Oh, I see. Okay. That's what I was missing. Well then that's what we're giving is put it in between script tags and the source of that tag is... So we're executing something inside of that iFrame so we need to... Get a reference to the parent. And I did this. I need to have station to my desktop. Well let's switch that. Okay. It's window.something. Well they already use this window.winning. So I think window.winning is a function on the parent that we need to call. Do you guys agree? What are the... Where are the script tags coming from? It's getting added right here. Oh I see. So it takes our input, wraps it around script tags, puts it as this thing as the raw part here. And it's onload on there. I'm going to set you one inside the... Yeah so if you call winning it'll set you one. But it says window.winning is not a function. Yeah because this is... That's outside of that iFrame Yeah. So I think if you do window.location top maybe that might... No I'm full of shit but hold on there's a win. Yeah. So we have the same origin policy coming into effect here. Those are in my class. What if it's the same origin policy? We have an iFrame so this code that we're passing in that's executing inside this iFrame is not allowing it to execute from other origins. What we need to do... Yeah so this code here is all in alf.new. So we need to somehow get out and call this alert one. And there's this window.winning thing. Well I ended on learn. Don't really wrote down learn in that. So you have to just call it right? Yeah I don't know. Try window.open top under score top. So this should hopefully get us a quote under score top. I have no idea. That's just blocking, opening this and a new window because the press is made in a sandbox frame which allows problem generation is not set. There's a way to get a reference to the parent. I thought it was window.top. Oh just window.top. Or window.top.winning. Yeah it's just block the frame with originals rest in the process. Oh maybe that's window. Top should be the top. So if you have frames or anything it's the top frame. Post a message and send something. Post message. window.top. Winning. Yeah do you get blocked? Block the frame with originals. The cross origin stuff right? When it gives you access to location. I'm going to access that but the properties I can see are assigned and replaced. Yeah I think that's normal. I have permission to navigate the target frame. It seems like this onload event though is firing after us. So can we set properties here? Can we say top. You win. Oh wait wait wait just the window with origin block. Why does it give us this URL? We can always escape this script. Right? It's making sure that this is coming from a different domain. It's doing this to ensure that we get this cross origin I think. You think so because it just is always an idea to put it in an iframe it would be coming from the same like this one here. Wait but why can't you close that domain? I mean close it. What is tag? What is what? Tag. Where does tag come from? Where does tag.source come from? Oh it's up at the top. Tag creating an ice cream. S is us put in there. Tag.source is this. That's a window function called winning. Maybe we should do a post message to it. We're going to call function with post message. I don't remember. I forget how. Two arguments. Any of you guys used post message before? Yeah target origin. Window.postMessageMessage messageMessageMessage messageMessageMessage messageMessageMessage messageMessageMessage messageMessageMessage messageMessage messageMessageMessage messageMessageMessage messageMessageMessage messageMessageMessage messageMessageMessage do it. Would that be possible to attach? For the postmellow. Do it inside the parentI current EXI. You encode your components escape stuff. Yeah about like window.back. Is it document that on load? Oh, but it's now not undefined. Yeah, what is this? Is there this stuff winning? Yeah, this stuff winning. You can call window.haron tops to high-level There needs to be a how-to web like how to keep It seems like there's a I feel like if you're not gonna break cross-origin Because it defines it in the winning function What does they've been doing what I read it today? Is there any way we can this.trythis.u1 Try this.u1 equals true because we actually saw the winning variable with this, right? You did console this. If we can see that variable we're done, I think I thought it was in there But u1 will always be undefined. That's the other weird thing is it Defines this u1 thing You don't necessarily have to call winning, right? If you can figure out a way to define u1, otherwise Because we're executing before the Well, that's normal that's normal like if you have inline javascript You call it on load. I mean I can't I mean there's a number of times I've had to do that because You needed to go after Winning was not look at just look at console this again and look at what's inside of it There's a lot of nulls I just wanted it to be there. Graphs us in a script tag So yeah, that's from me right here. I was like, yeah, I did see that It's still this it's still saying We'll take it out of there If you do console log Yeah, and here in this frame it is yeah, but it's not outside of this context Like this u1 would be the same here in this scope. So that's why we want this to be This will be a global you want Yeah So if we can somehow get our code to call this winning function, then we've won Question is I literally don't know how to I mean maybe Oh Gently it's hard to tell exactly where the vulnerability is it's got to be on one of those two places Yeah, we have to do this u1 or could be something Stupid same origins policy. This is like an axe for exploitation just ruins all the fun This script is actually closing this And one is not like a sub-domain of the other right there totally different for 4 a.m. Versus some random other one One isn't the sub-domain of the other right? 4 a.m. And then off that new okay Otherwise you can change your Domain what if we find a Log in the JavaScript VM break out Breakout of sandbox exactly win phone to him and then just buy this domain name and make it call third one No, not for either am I'll talk about out that new But I like Eric's idea or a second might be just to break the web server itself and get the source code and then Change the source code so that if you type in phone devils you win this challenge, so you're saying that we have options. Yes What is this XSS equals zero CT It's the I believe it's parts of this for I am the XSS is setting XS protection headers to zero so not sending any of the CSP or any of the in Chrome myself doing that XSS prevention thing because it's literally echoing And chrome to say was that by default right Right exactly, so I think it's disabled here. There was a CT is the content tech So it kind of takes HTML, but that's for Chrome's benefit for all the browsers So that you can actually execute the job So although I was a promo refuse to execute. Yeah, if it sees part of a query string JavaScript though that will refuse to execute it. There was a OCTF challenge I did some googling, but so there's post message. There's a window that document that domain Window that document that domain ends up You can you can change it only to subdomains of yourself or parent of yourself, so we can't change it to Out that new If you just define the variable that didn't work right document that domain No, just oh That you win It says we still get the way this one. Yeah, hold on maybe After that new counts as a subdomain of no, so there's the window that document that domain right and then And then yeah, there's post message The other side needs to set up a receiver. Yeah for post message But but when the document that domain you can change it to Subdomains But change it just try changing it to no no try changing it to alf.new. Yeah, try that it Whatever we were doing that was executing it before Semi-goal Okay, let's set times forbidden for sand great Why are we a sandbox diaphragm? All life in just a box Damn it now because all your kids worried it What if you redirect ourselves to alf that new Yeah, that's kind of what I was thinking, but then how do you execute? Oh What if you redirect ourselves? I don't know this can create what if you do redirect ourselves to a previous of that new challenge that allows us to Execute your JavaScript and then grab the parent iframe and then That's not sandbox. Can we create our own iframe in the page that points to alf.new or somehow? bestow the right from our page Yes, we could definitely make an iframe that calls into how that and then maybe That can access top, but it would be able to it. It needs to be able to call JavaScript Directly with a get request, right? And we can't really interact with it once we create the iframe because it's a cross-origin thing So so are we sure nothing on out that move can like we hit we hit a URL that calls JavaScript All of this all of these are done in JavaScript. Yeah So these are all they take your input and the page doesn't change. Yeah Unless there could be a frame or something. I mean, oh, is it a frame? Is that it? Are you in a frame over there on the left? Are the frames on this? You know, we did call though alert dot one in that when we actually inputted the URL itself. Yeah and called Alert dot one in that in like its own URL. We could do an iframe of that But that's still the domain has to be the same. So the main would be if we framed this So it's gonna be for I am I'm looking at Windows object properties and what does the name do it just sets and return name of a window Yeah, it's a handle so you can refer to a window again So if you have a pop-up window you would set the name so that you could refer to that again somewhere else in the Underscore top and other default ones. Those are default ones. Yeah, or you could give it your own city You could keep talking to the same window We don't use windows anymore. Well, can you set the same pop-up in their lives? Can you set that window though the window that winning of our window? Yeah, it's gonna be blank. What's really weird is our domain is blank too. I would expect our domain to be Or I am Be sure you can't call JavaScript Yeah, what if you do So in the hashtag Exactly What if you go to One of the simpler guys like like the very first level for example Warm up should just take a Almost all these are on the same page. Are they yet? I don't know that they are that yeah That's the first question. If you right click on here. I'll be in the night frame Because there's a link at the bottom to be able to link to your game I think it stores all your state in a In a what? Which is strange because it pulled yours back up right I mean it pulled others back up right when they got there So but this access token now we're gonna hack the site Like you're getting to Because you can use this URL What if you change something there does it just reset it completely like do it in and they can get a load Yeah, okay, so it's all or nothing. It's not like it encodes The So everything I'm overthinking it Yeah, so why can't we just modify the headers that we sent to that So like you know how you know how they're checking for the same origin Origin in the What happens what so the domain here is set based on this source? Yeah, first of all when you click on the source of this and second of all, but when you go there, is there a false value for the The origin defined here the port so this is an iframe the source of the iframe it's protocol HTTPS the host which is for I It's from this yeah, we can't I'm trying to look this encode your I component is the correct encoding here So we can't mess around with that at all. It's got even one of these two things both of these things are weird than doing this Setting this winning function and also setting this Well Not standard like this other stuff is standard Like I think all of this rest Yeah, that's what I mean, yeah, it's like it's somehow in these two things but anyway to search Through the entire window if we go from window top and to search the dom somehow for what about For winning I mean winnings unique enough. It's not going to exist anywhere else Yeah, just put it in the URL Oh, you probably do it with Jake Can you go to what is called on minify or put it by whatever JavaScript So window dot Winning is a global I Think the property of that window you went you wanted to go this thing I was looking at said calls that a Global variable Window Did you try square brackets We need a jar for you She eventually got over it when she came a manager You go back. Yeah, this guy is there a way to Load it up with an input value in that text box already If there is then I think we can get around all of these crazy restrictions No, it's console. I don't think it's blurred because it it goes into the default, right? So then if you click out and back in Okay, what if you copy that Now the whole thing the whole URL open it up an input game mode. Oh, that has the extra K Oh It's not loaded with okay, so it's blurred here. What if you click on? Yeah, this must be in a local session or something If you click on the same This is I call that Would be too easy though No, I mean if it just reload these fields, we still need to properly solve the level, right? It's just an input that You Glorious that's it. That's the best that's the best he's learned from you That's When I need to type angry messages on the internet so like daily Just switch it to shift shift you can always just do it to offer Yeah, I could I could exploit the cross-side Vulnerability and whatever site I'm posting on and just call to her on I don't think we I'm sure Looking on like we basically have to reverse all of the Yeah, so is there a way to search all of the window elements Search all of them like this through all Well, yeah, but you need some kind of iterator I Okay, at the very least this will require going through all the JavaScript to see if anything ever sets that guy by default because it does Doesn't from an obvious look like a quick look it doesn't seem like it does The text box train see the brilliant inception attack I frame with my frame If you want to get a reference to the I frame then you document that get framed by I You looked up the write-up There is a way to get the frame You probably you can look up W3 schools They're getting a frame Okay Every way goodbye goodbye