Web [250pts]

Description: A target service is asking for two bits of information that have the same “custom hash”, but can’t be identical. Looks like we’re going to have to generate a collision?

When we navigate to the home page, we are greeted with the source code, detailing the conditions for getting the flag and type of requests to be made:

So we know that our request body has to be JSON and that we will receive 400 errors if there is an invalid body or if we are missing request parameters “one” and “two”. Also there is a customhash not shown to us that is hashing what we send to /getflag.

Using Postman, I tried out a few sample payloads and received it’s hash value as well as rejections:

Since the hash is custom, bruteforcing would take a while. But, looking back at the source code we see that the parameters “one” and “two” are being compared with == instead of ===.

A loose comparison such as this will lead to vulnerabilities where two non-equal inputs will evaluate as true.

Looking at a useful JS comparison table: https://dorey.github.io/JavaScript-Equality-Table/

We can see that [1] and “1” evaluate as true. When we try this for our request body, we can receive our flag without having to bruteforce anything:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s