DOM Clobbering, CSPP (axios) and XSS - Unintended Solutions to January '24 Challenge

🏆 The official writeup for the January '24 Challenge, which involves DOM Clobbering, Client-side Prototype Pollution (CSPP) in axios (FormDataToJSON), and XSS. We received 37 valid submissions (and 8 awesome writeups), none of which were intended! In this video, we'll breakdown those solutions 🧠

Full blog/writeup: https://bugology.intigriti.io/intigri...
Follow Kévin - Mizu:   / kevin_mizu  
Solve the challenge: https://challenge-0124.intigriti.io

🧑💻 Sign up and start hacking right now - https://go.intigriti.com/register

🐱💻 Can't get enough of these challenges? - https://blog.intigriti.com/hackademy/...

👾 Join our Discord - https://go.intigriti.com/discord

🎙️ This show is hosted by   / _cryptocat   ( ‪@_CryptoCat‬ ) &   / intigriti  

👕 Do you want some Intigriti Swag? Check out https://swag.intigriti.com

00:00 Intro
01:08 Source code review
05:15 Identify axios version
07:19 HTML injection
08:24 DOM clobbering
10:01 Client-side prototype pollution (CSPP) in axios
12:16 Searching for a gadget
12:52 Unintended solutions
13:45 Polluting repo.owner
14:42 Polluting repo.homepage
15:59 jQuery exception
18:10 XSS: srcdoc
20:12 XSS: src
20:29 XSS: onload
20:43 XSS: ontransitionend
21:18 XSS: onerror
21:48 Unintended (without polluting owner/homepage)
21:54 XSS: clobbered 'q'
22:27 XSS: baseURL (attacker domain)
22:49 Breakdown of payload stats
23:27 Community writeups
23:44 Conclusion