In this write-up, we’ll see how I identified a remote code execution vulnerability and bypassed the Akamai WAF rule(s). While I was doing a security scan, I noticed an endpoint that incorporates user-controllable data into a string and reflects it back in the response. Noticing the reflection of the text, I tried some XSS payloads but was not able to execute JavaScript successfully as the response Content-Type was application/json. However, when entering a payload such as ${191*7} I was surprised to see that the arithmetic expression had been successfully evaluated within the response as
[SNIP]…getApprovalGroupByContext.contextType: 1337…[/SNIP]
Note: “RCE_” is not…
Introduction
In this writeup, I am going to explain my approach towards solving the Wacky XSS Challenge. The challenge is primarily about bypassing Content Security Policy (CSP) and DOM Clobbering due to insecure coding practice.
Challenge Rules
- You must
alert(origin)showinghttps://wacky.buggywebsite.com - You must bypass CSP
- It must be reproducible using the latest version of Chrome
- You must provide a working proof-of-concept on bugpoc.com
Here’s how the challenge page looks like:
Upon clicking Make Whacky! button, I noticed a GET request being made to /frame.html page along with a query parameter called param
