Posted: 2/12/2014 5:33 AM
Post subject: http://escape.alf.nu/ - the javascript code injection game
Quote
Patashu
He/Him
Joined: 10/2/2005
Posts: 4017
http://escape.alf.nu/ The goal is simple - here is some javascript that handles strings in an unsafe way. Prove it is unsafe by having javascript of your choice execute because of the contents of your string - in this case, alert(1). If you've heard of sql injections, such as the classic [ur=http://xkcd.com/327/]Robert'); DROP TABLE Students;--[/url], this is the same idea. Currently I am stuck on level 5. EDIT: Got level 5, but I don't understand why it works - it looks like extremely malformed html to me. BTW, I recommend you play this game resized so that the bottom two sections (scores and facebook comments) are not visible. Spoiling yourself isn't fun!
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Posted: 2/12/2014 3:30 PM
Quote
Scepheo
Player (144)
Joined: 7/16/2009
Posts: 686
Nice find, this is fun. Also stuck on 5.
Posted: 2/13/2014 3:37 AM
Quote
Patashu
He/Him
Joined: 10/2/2005
Posts: 4017
Stuck on level 7 ATM. This one is a doozy.
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Posted: 2/13/2014 9:02 AM
Quote
Scepheo
Player (144)
Joined: 7/16/2009
Posts: 686
I just completed 7. I'd give you a hint, but it seems impossible without giving it all away.
Posted: 2/13/2014 9:12 AM
Quote
Patashu
He/Him
Joined: 10/2/2005
Posts: 4017
Scepheo wrote:
I just completed 7. I'd give you a hint, but it seems impossible without giving it all away.
No problem - knowing it's beatable is all I want. :)
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Posted: 2/13/2014 10:39 PM
Quote
Tub
Joined: 6/25/2005
Posts: 1377
Very interesting game, thanks for sharing! I've broken them up to level 6. I haven't beaten 7 yet, but I'll note my observations. It's interesting to note that the function name allows []' as characters, but neither . nor (). So if you want to call document.getElementById you could write it as document['getElementById'], but I haven't found a use for that notion yet. Several... interesting applications that could really screw up your web site, but nothing to call alert(1). Another interesting observation: it's possible to formulate an expression that yields 1 within the function name with the allowed characters. Not sure how to combine that though, neither binding nor closures seems to work.
m00
Posted: 2/13/2014 11:24 PM
Quote
Scepheo
Player (144)
Joined: 7/16/2009
Posts: 686
Tub wrote:
It's interesting to note that the function name allows []' as characters, but neither . nor (). So if you want to call document.getElementById you could write it as document['getElementById']
Good observation that it allows brackets, but it's not necessary, actually. I don't think the above is a really big spoiler, but I made it one either way.
Posted: 2/14/2014 4:30 PM
Quote
Tub
Joined: 6/25/2005
Posts: 1377
Duh, of course. Seems so obvious in retrospect.
m00
Posted: 3/4/2014 3:16 AM
Quote
Patashu
He/Him
Joined: 10/2/2005
Posts: 4017
I pushed a little further in this and am now stuck on level 11/12 (neither of which I have any clue on). Anyone else chugging at this?
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Posted: 3/4/2014 10:39 AM
Quote
Tub
Joined: 6/25/2005
Posts: 1377
Patashu wrote:
I pushed a little further in this and am now stuck on level 11/12 (neither of which I have any clue on). Anyone else chugging at this?
11: there is a defense against level 2's solution. Use level 2's solution anyway. The trick is to get it past the defense. 12: not a clue, though my observations above about level 7 may apply.
m00
Posted: 3/4/2014 8:04 PM
Quote
Scepheo
Player (144)
Joined: 7/16/2009
Posts: 686
Tub wrote:
12: not a clue, though my observations above about level 7 may apply.
Nope, still not necessary. Though now I'm curious as to your solution for level 7. EDIT: For an indication of it's difficulty, I have 0-7 and 12. I'm still trying to do 8 without using external files.
Posted: 3/5/2014 4:40 PM
Quote
OmnipotentEntity
He/Him
Player (36)
Joined: 9/11/2004
Posts: 2623
I'm stuck on 10 for right now. EDIT: On to 11 now. EDIT: 12. EDIT: On 13. EDIT: Now 14... EDIT: Giving up for now, stuck on 14.
Build a man a fire, warm him for a day, Set a man on fire, warm him for the rest of his life.
Posted: 3/5/2014 8:57 PM
Quote
HHS
Active player (282)
Joined: 10/8/2006
Posts: 356
The solution for level 8 is obvious. Don't know how to beat level 9, though. If I could just get at the window object, I could call eval and I'd be done. Edit: Oh, got it now, didn't have to call eval after all.
Posted: 3/6/2014 4:30 PM
Quote
Tub
Joined: 6/25/2005
Posts: 1377
Got 1-7, 11 and 12 I'm a web developer. Is it a bad sign that I consider level 10 to be safe? I mean, I cannot easily find a solution for 8 and 9 either, but just looking at it I think "bad idea". 10 looks fine to me.
Scepheo wrote:
Nope, still not necessary. Though now I'm curious as to your solution for level 7.
I solved both without the unnecessary things, probably the same way you did. The second just requires a javascript-feature that no mortal should ever have to know.
m00
Posted: 3/6/2014 7:20 PM
Quote
HHS
Active player (282)
Joined: 10/8/2006
Posts: 356
Level 9 requires a fair bit of creativity to gather all the missing ingredients and building the right kind of container to put them into. At level 10, converting to HTML would be fine if it weren't for one little thing... Managed to beat 14. You just need to confuse the browser a little.
Posted: 3/6/2014 9:40 PM
Quote
Patashu
He/Him
Joined: 10/2/2005
Posts: 4017
Tub wrote:
Got 1-7, 11 and 12 I'm a web developer. Is it a bad sign that I consider level 10 to be safe? I mean, I cannot easily find a solution for 8 and 9 either, but just looking at it I think "bad idea". 10 looks fine to me.
That's what's so cruel about injection based security - 'looks OK' solutions can actually be blown right open if you're not following industrial standards. 10 is broken, (mild spoiler) but in a different way to every previous puzzle. BTW, PSA: If you beat 15 there's still 16 and so on: http://escape.alf.nu/16/ http://escape.alf.nu/17/ http://escape.alf.nu/18/ no 19 yet... http://escape.alf.nu/20/ http://escape.alf.nu/21/ And 21 is the last existing one I can see.
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu