 We are, as everybody here, so we are on this alert one to win on the warm-up problem there. I think there are multiple problems. I have actually done this before, so. So the idea is it's got a little bit of JavaScript code there, and so it's generating some HTML incorrectly, and you need to prove that by getting it to execute the JavaScript function alert one, which is going to pop up on the feed. It was, hey, we got first, we innovated, and we had a first place in Injects. It's because you weren't there, Adam. I think we're probably useless. Well, Dr. Fawn just sat in the, uh, what's called, like, the outside room. So like, 12 hours, a lot of fun for me. Thanks for recommending me for that. Oh, definitely not. Not the shell. You can download the jar file. And then you can make it executable. We're going on web stuff, so we're doing... Let's go with... I don't think you need verb. We should bring your computer next time. I'll just do stuff with the computer. It's a hands-on thing. So, type stuff in the input. What does it do? And you can actually see the output that it's doing right below. Thank you. Good. You weren't at the, uh... Thank you. Oh. Hi, people. Edgy. You guys are going to get pizza by your president? Yes. Pizza. Oh, the voting? Yeah, it's a part of the vote. Did you get voted in or what? Like, yeah, yeah. Yeah, we need to re-vote. It was... Yeah. But pizza. You get pizza. Vote for me. I give you pizza. Why so much cheese pizza? Uh, you know, it's because... I didn't know I was... It was a split-second decision. Because I actually got this pizza last week. Right? But our meeting last week didn't actually happen. Because as I found out, nobody would be here to actually lead the meeting. So I paid for the pizza. We can still meet though. I'm still coming by. Well, no, I wasn't going to be here. I wasn't going to be here. Emmanuel wasn't going to be here. Eric wasn't going to be here. And Adam wasn't going to be here. And so we were just... I was just like, well, if nobody's... We're not going to like, learn something new than... Because if Emmanuel or I was here, we could do something. So is this a website? Yeah. I don't think Mark... Is it this one? Uh, exit. Yeah. Come here. Take him along. Yes. Put it here. Uh, use... Navigate to this? No. Just exit. Go to your actual machine. So... So are we... Are we... Are we... Are we... Are we... Are we... Are we... Are we... Are we... Are we... Are we... Are we... Are we... Good. What are we doing today? He never talks. He's an expert. I'm sure he does. Do you see the app there? The app. Yes. Install openjbtk. I know. Open. Openjbtk. That's good. Good, good, good. Because I've tried that... Patap. Go to your own app... Patap. There you go. So we're going to select the 7.jre suck. They're helpful. Yeah, they're helpful. You just put 10, then 7, then 7. Yeah. Dash. How can I wait? Can I just stop? Dash. Is that after our meeting? Yeah. After our chat? Yeah. This was today, this morning, that or? No, we didn't scare you. Are you? Right after we're done. I got a phone call from him and I was talking to him outside. Okay. So with OpenDK, you were able to come up with that. So what exactly are we doing? Instead of just talking to him. Alph.nu slash alert. Alert 1. I think we know. I don't know that we know it's process driven, but it's process driven. So you need to get it. All the alert ones. So. Oh, look at this. So what? Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Okay. So what we have from OpenDK, you can download it. You can download the original version of it. Yeah. Yeah. Yeah. Wow. Okay. There we go. Yes. Is that awesome? Come on. I think this is the, I just sat down and looked at this. Got the CTF that we did look at the other week, where it was that percent zero B. It really made me mad, because I tried that too. I tried that too, but I didn't have like the right, oh god. And then, or I tried that. This looks really ugly. That looks way too ugly for this. Yeah, this is an easier way to do it. I think you. I'm going to do it. Try it, I'm going to do it. But if it works, move on to the next slide. I'll show you the elegant, pretty way to do it. Here's what those look to think about. If you think about what's your actual goal with those things? I'll try the ends to get. Right, so to start the new one is to execute some new JavaScript. Right, but you're already here. So why use all that if you want to? Oh, I see what you're saying. In the console.mlog, call it. You have to close this method, right? Yeah, that's what I was trying to do. I'm going to make sure about what's at the end. Yeah. What do you call it? It's my name. Think that. It tells you once you get it. Oh, because I didn't do this. Yeah, I got it. Yeah, that's what I was trying to do, but I haven't too many written script tags. I did that. And I looked at yours, and I was like, got this. Yeah, I don't know why I was thinking that. Yeah, that's what it's called. How do you do the next one? Is it just alert two, probably? Yeah. Oh. Entering your name here? Yeah. Okay, let's do JSON. It's not possible. Yeah. All right. All right. All right. All right. All right. All right. All right. All right. All right. Well, yeah, it doesn't look like nice. Yeah, but it tastes amazing. All right. Yeah. Yeah, yeah, yeah, because the other one was closed. Wait, what? So, like, without this, then we can't set it in. Why is there a slash? Console log. Yeah, it says, you know, console log. It's not right. It's not a word form. It's not right. We don't want to have it. Yeah, it's okay. What's json.strength? What's what? json.strength5. What is that? There's actually more single injection. That's a really good question. Oh, it's something we should probably figure out. Yeah. Well, I'm doing the Adobe one. This is Adobe? Yeah. This is what it seems. What's the difference between the two? This part right here? I don't know. Are you allowed to see user's score? No. What's the word for the code? It's functionality. Is that a word? It's a word. You get the other box. That's what it looks like. That's what it looks like. I'm pretty sure you got it. Let's look. Let's look. Let's try that. Is that two cheeses? Wait, is it two cheeses? Oh, I thought there were two pepperonis. No, it's javascript. Oh, well, they messed up. Yeah, I don't know any javascript. Two different languages. What's level two? Google it. That's a good question. Is it other two? I think it's the other two. Yeah. I don't... I think... No, no, no. You see worm up at the top right, or it's at the very bottom. There should be an Adobe and a JSON one as well. You scroll down to the bottom, add your name, and then it jumps you to the next one. What do you mean it jumps you to the next one? It doesn't load the new page. It didn't change the URL. It just takes you, I think it adds cookies and stuff. It just takes you to the next level. Yeah. Yeah. Oh, I don't know if it's now or... I don't know if it's now or... Is it okay? It's... It's... It's... It's dead options. What does stairs do? Good. Carlos, what did you... No, I would say no. The stairs here are horrible. Oh, it adds... It escapes characters, which is annoying. Which one? The string of... I don't know. That's a problem. Oh, well, I think I can... I think I can escape the backslash, and that now becomes part of the string, yeah. It's not showing me the next one. But the problem comes with this other one. Are you going to write it? No. Is it when? Because you want to... Oh, wait a minute. It's in like... Oh, it's... Yeah. Oh, I didn't have the clue to try. I'm glad that's your big stuff. You got points for it. Oh, okay. Start on that website. All right. I guess probably you... Oh, I don't know. I don't know. Are you doing... Because this is just looking for... Oh, it's looking for... I'll stop the place. Oh, is it? So I wonder if it's... Oh, no. It's the last one. No, you didn't see this one. You didn't see this one. But... You closed it. I can't close it. Do I just sign between a two inside there instead? A percent sign, 22? Yeah, no. Now I just take that. No, this should be fine, yeah? Well, no, so the problem is the script isn't valid because you're escaping that double quote so you're not ending the log. Yes, but I'm escaping the... Well, see, it turns the single quote into a double backslash quote. Oh, wait. That should escape. Oh, yeah. And so I'm doing another backslash. Yeah, that makes more sense. And so... Well, no, so the double backslash isn't... Right, I need to do something to escape that. But sometimes interpreting that in script tag as part of that jumps that into a script and then that to your new script tag. Why is that console.log? Console.log prints output to the log. So if you do, like, control shift I and then open up the inspector in a Chrome, you're going to click on log. And that's where the JSON logs go. There's a JSON console in the web browser and that's where console.log goes. Copy that output, create a new HTML file on your machine, put that output there, and then open it up to the browser to see if it actually pops up. Right. What browser are you using? Firefox. There should be a tab that says console. Somewhere. Yeah. Oh yeah, this is helpful. Is there a first meeting already ahead of all of you? Who? Ring there? Yeah. Apparently it doesn't work with Firefox. Thought that came up with a pizza. Yeah, so maybe it doesn't work with Firefox. How is it Firefox? Is that console.log is put on that? No, the console.log isn't running anything. It's just printing output to the console. Same thing as a printf in CR. My backslash idea is not right. Oh, did you find something? I can't escape out of this. And I think if you need that backslash there. Okay, click OK. Right-click? Yep. How do I run it before I give it a command? I don't know why you do that. It automatically does it. Oh. Neither are we. And then closing. So if we're not escaping the code, they'll have to go forward. Can I take any of our parsing of the HTML tags? Probably. Like this, yeah. I'm on the Adobe one. I'm not on the first one. I don't know how the... I beat the first one. Yeah, it's because it's already in there. So you should play around with what you can do with the string inside of there. Maybe... Yes. Let's see. Oh, don't hit enter. Hit backslash. Uh... Let's see. What's it saying there? Do you have another... Hit the delete key a bunch of times. Hit backslash. Yeah, and then... Yeah, now type hello. Yeah. See, it's printing hello there at the bottom here. Yeah, look at your console. Yeah, oh, nothing happens in the test frame. I don't think so. You have to call alert one, and then it'll automatically... There's a big page that says, like, you broke it. So once you get it... Yes. Yeah, JavaScript. Yeah, look at how the tags are closing. Try using a quotation mark in parentheses and look at what the actual output is in the code. See if you can... Yeah. And parentheses? Yeah. Yeah, just play around with it. See if you can get the... See if you can... You can line up multiple JavaScript commands in a single line by separating them with a semicolon. So if you did the log console, semicolon, alert one, semicolon, like, log console, that would probably... Which one? I can't see very well. Yeah, that's semicolon. Yes, if it was valid Java... That won't do the challenge. You have to look at how they're doing their syntax. But that's the general... just of things. No. It's not so close. That's my console. You don't need quotes for the one that's called... Well, no, but I can't get rid of this other section of quotes. It's wrong. So, like, if I... Wait, where was that? Uh... Wait, why is it returning... colon, alert, way... Yeah. Oh, no, I need to do this. Yeah, I need to escape that slash there. You guys already passed the portal. Act is super cool that you can see the output right when you're doing that. Yeah. That's pretty... I have absolutely no idea. Web development is not my... strong suit. Is there an alert, too? Or is that what, you know, what was that? But... What's that for? Like Adobe and JSON, it says. There'll be other levels on the right. There you go. I know how to start with socks. Okay. Actually... So we have to figure out how to... Yeah. We're going to have a... The slash should escape that... I mean, I'm thinking... And I'm all wrong. It's getting to the right-hand side of this. What is this example happening? This is running the code? So I'm... Your input's here in the S button. It returns this string. Output, you can see the output there. It's escaping that string. Since we're... Since it's bringing those double ticks, we don't really know how to get around them. That's... I'm trying to figure out that as well. Wow. Because if you add a double tick, it... It escapes there. I know. I got in place. I got it. Yeah. It's printing out alert one. I don't want it to print out alert one. Yeah. I can't figure out how to... Unescape the thing. It's really sad. If you can... This is not... I'm not gonna... I'm trying very hard. That's exactly why we do this. To learn. But there's that pesky escape mark. I thought about escaping the backslash. We need to... I need to put something. That? But if that works, this should still print out. Or it should just print out hello. It shouldn't print out the entire thing. Right? Because this is printing out hello because it's in between two things of the console log. So if I put a backslash here, that should put out. So if I did a... It should print out hello and then %34. But look at this console.log. You have console.log slash slash like... That's... Is that valid javascript right there? Probably not, but there's the... I need to find a way how to deal with that slash to close the thing. How do we do SQL injections? How did we do SQL injections? How did we do... Oh, there you go. God, Adam... Why? Oh, I know. Right? How do you do that? It's two slashes. So it should be... If I just do this... Run a... Yeah. Run a SQL injection. Yeah. Close the... Oh, it's a bracket. Yeah. Adam, why was that? The solution? Why hadn't I thought of that? It's empty in here, Adam. It's empty. You click the thing. You click... Oh, we have to click this? Yeah. Wait, so we're 57... I keep questioning the same two levels. I don't understand it. Oh, this is just new levels every time. Oh, I see. I see. Okay, so that's the same thing for the JSON one. We just have to add comments. No. No. How did I get... Oh, so it opened up two different ICLs. I thought it was sequential, so I was confused it gave us two different ones. Yeah, that makes no sense now. Okay. I'm smart enough. Oh, no. Oh, please tell me. Do you need it? Uh, I might... Oh, it looks like it had mine. Okay. Okay, so for the stringify one, we would have to... How are you doing? Cool. Still on one? Almost there. I think you have an idea. Are you on the Adobe one or the warm-up one? Let's see. It works. I thought you had a code. So, we were talking earlier with the... I guess not. Yeah, so I'm going to escape this guy. Yeah. Oh, so X gets everything. That. That will escape this guy. You don't have to do anything. This is what your browser is interpreting, right? Oh, G. That's what your browser gets as HTML. And it's interpreted. Yeah, but it's going to play now a string. See what happens when you... It's going to play now a slash alert. No. It's going to bring out the alert one as a string. Oh, that's not... Because it's a string. Inside double quotes. No. Alright, because it's inside double quotes. Inside this string. I'm going to escape. I'm going to do that. That's all of this is constant string. Your input is being appended. Oh, yeah. Inside there. You can never change anything that comes before you. Do you know what's trying to find out? No. I'm going to have to figure it out. I'll run. It's just iterating. Dumb way. But that's not the fun way. That function goes here. Your browser will interpret that as HTML. Okay. But we want it to run a function. Yes. So I thought that this console.log was going to run that function. No. Console.log just outputs this string here. Oh, okay. Markdown, DOM, callback Markdown, DOM, callback Markdown, DOM, callback Markdown, DOM, callback Markdown, DOM, callback Markdown, DOM, callback Markdown, DOM, callback into an escapable string. Yeah, so how did you do the... How did you do the... How did you do the decent one? The crappy way of all the script tags? Because I just end the script tag and start my own just books. Well, how did you... Well, I thought I was trying this, right? Where I did the backslash. Well, no, because first you have to... First you have to... First you have to... So you still have to... You have to finish the first one which you do by skipping the current... So... So now you're there. So now you have to end the script tag. Because I end the script tag so that I essentially... I cut out the right-hand side of this. And I start a new one. Your console output should be much different right now. Close it. I just closed it. I need to do one more. No. This part is displaying. Oh, your first one's on and your first one's a new one. That's your problem. You have to end that one first. I thought I... Why did that work? I guess... This doesn't... This is fine because it doesn't necessarily need to print out a value string. I'll give you an escape card. What's the escape card? Okay. This... This... This... This... This... This... This... This... This... This... This... This... This is an end of line. At the end of a line where it's not... Yeah, you're right. There's no end to line in there. So that... should work. What are we going to do now? Actually, there were... I feel like a... So that escape card... This... This... This... Hey, doc. You should still run that. This is undefined for some reason. I'm not sure why. I think it should work. They just... They're just system-based. Exactly like this. That makes sense. What if you take your other idea? What if you're there instead of concatenating? What do you need to start in here to stop that... that console.log? So it's making an element out of... Yeah, so it's making a link. And then it's... You're trying to concatenate things, but it's making another idea. Yeah, so... Yeah, but the problem is that... A won't... Okay, so it should be making... A equals more than... Yeah. So A houses the URL, but usually A encompasses some other element and makes that... Cover up all of this. Because we need to click A and execute JavaScript. What you have here is... Script. These two are... Exactly, what's wrong? I guess not. Again. So that's all valid JavaScript. But now what's this plus at the beginning of this line? That's not good. So it appends it to like the very end and then makes a click point. Now we have good up until there. Now we have an additional plus there. Do we need that? That's good. But now look at what we have here. Afterwards we have... ...which is not a valid JavaScript. Exactly. So what do we need this JavaScript page through that A? We have to like erase the first part of this drink. No. No. So if I did this... If I went to Google.com because what it's doing is... I don't think the console.log doesn't help us at all. But it is taking this URL that we're producing which is this console.log and making it the href. That includes JavaScript. The URL includes this JavaScript code. Yeah, yeah, yeah. So we don't want that going into the URL. Yeah. Maybe... Move it spaces in between those. Okay, you can try that. Do this. You know how if you're finding a place and you need to have something on top of it. Do you have any... You know what we probably have to do? Oh, oh, no. Keep that. Go with that. Right? But at the very beginning? No, at the very beginning. Escape out the actual walk. So do single quote? And then front. And then... No, it's a single quote. That's single quotes for this. Oh, oh, oh. Yeah, this is J-Pone, not Strangify. It's in here. It makes these double quotes. Which are... I can't invent. Oh. Oh, oh, oh. That's fine. It's... We have to somehow append... The actual vulnerability is... Nice. Oh, and then do another console.log after it. Oh, put a semicolon. And then close the front. Right? But then at the... You need a semicolon before here. Get rid of the JavaScript itself. My browser, I had to, like, reset my browser. What'd you have to do? I was working on the... It wasn't updated at all. Yeah, what's up? Yeah, that's definitely... I think you had it with the addition. That's for Adobe. The addition, yeah. For JSON? Try whatever you think might work because it'll probably work. Whatever. Oh, no, I told you the wrong one. Also, there may be some problems in Firefox. I've seen on Linux. FYI. Okay, you got that. You did? I thought it was me. I was trying to... JSON? That'd be good information to share. Maybe not do one? I think we're all caught up on the first. Do? Level one. Yeah? Are you done yet? No pressure. Pressure. We do it in less than ten minutes. We actually love doing that. Very close. What's the other... That's not about a common character. I couldn't remember. It was one of the two. Okay. Someone want to walk me through the first one? Yes. Stretching. I've actually seen it in a lot of different ways. It's nice. Who thinks they have the shortest string? The last one? I don't know. I'll go for it. I believe in you. We're close to... Yeah. Close the quote. One double quote. Plus. Alert. One. And close the other quote. Firefox is the worst. It is Firefox. Firefox is terrible. I switched to Chrome. Don't pretend anything. Nobody says anything. We're putting on everything we can. It's probably a good thing that we're just doing this. Yeah. It depends on why. Probably not doing it for security reasons. It doesn't want to execute anything. I mean, it's probably the website is coded and using something. It would not accept anything with IE or... Yeah. Four times shorter than mine. Mine's 47 long. It's 12. So 12 is 12 the shortest? Is anybody else shorter? Seems to be. Let's see. We could... Okay, cool. That was fun. Adobe and JSON do different stringify. It's a parcel. No, don't lie. How do you practice JSON? Done Adobe. Not everyone? Stop recording. We'll only record when we talk about actually breaking stuff. As much as like 30 minutes worth of us talking. Adobe. What is it doing? First, what is the code doing? It's replacing... Two characters, I think. It's replacing the double quote with a slash double quote. What? It replaces a regular expression. So it's searching for every single quote. Yeah. Isn't it replacing it with two slashes and then a double quote? No, one slash. It's backside and so it actually works. Okay, very quick. Here's what's died. So we can see that here. So it's replacing this single quote character with a double quote. With a slash double quote. So how can we do it? Escape the escape. Escape the escape. Escape from the escape. So if we put a slash, we've seen that an output's just a slash. Right? So we can see that we don't have... So we can do slash... Quote. Double quote. So this slash slash will be a slash. And so this double quote will actually be a double quote that matches the first double quote. So we can escape their slashing here. Then now... But now we have an instantakably invalid sentence here. Or JavaScript code. So now how do we actually execute code? Close the parent. Type your command. Or semicolon. And then we don't care about the rest of the lines. So we can comment it out. Forward slashes. Oh, wow. That's a simple addition. So I did it the other way. So I did it the other way. So I did it the other way. So I did it the other way. Can you do... A plus sign before the other. It's still working. No, because it doesn't... No, I think you can if you get rid of the slash. Get rid of the slash start. Yeah, you have to... No, get rid of the slash at the start. And add a plus at the end of the word. Two plus. One of your topics. Oh, yeah, yeah. Get rid of the first... No, get rid of that slash. You don't need that slash. And then get rid of the slash at the beginning. No, you're missing a plus. Get rid of the parent at the very end. And then put a plus. No. This is not being escaped. We're still in the string. Well, no, but I thought that it would actually print out the quote. And then we could do... Oh, I see what you're saying. So that one. Come on. Yes. Wait, did everyone do JSON? I don't think everyone did it. I got it. You never got it? We all did it. JSON was cool. I used script tags. Super cool. Is that script tags will... So we've got to remember that the HTML parsing happens before the JavaScript parsing. So the HTML parsing parses this script tag. And so it says, okay, how far does this tag go? Well, it goes until it sees a closing script tag. So at this point, because the JavaScript code in between the script tags has not been parsed yet, so this JavaScript code that's here does not get parsed. And actually, due to the way JavaScript works, if one part is syntactically invalid, the browser ignores it and just go on to the next script block. So the second script block will alert this. We can use the slash slash here to comment out everything that happens afterwards. So that's similar to SQL injection. For Adobe, you can use something similar to this.