Prototype Pollution, reCAPTCHA and XSS - Solution to June '23 Challenge

🏆 The official writeup for the June '23 Challenge. There's at least 3 possible solutions, all featuring prototype pollution (jquery 2.2.4 - deparam) and XSS 😎 The differences will be outlined in the video, but a quick summary: 1) Intended: Pollute Sanitizer() config to allow unknown markup and the Google reCAPTCHA related attributes. 2) Unintended #1: Use reCAPTCHA (srcdoc, like intended) as a gadget without changing Sanitizer config (pollute sitekey). 3) Unintended #2: Use jquery script gadgets ($(x).off - delegateTarget), bypassing reCAPTCHA and the domain check. Follow Godson:   / 0xgodson_   Solve the challenge: https://challenge-0623.intigriti.io 🧑💻 Sign up and start hacking right now - https://go.intigriti.com/register 🐱💻 Can't get enough of these challenges? - https://blog.intigriti.com/hackademy/... 👾 Join our Discord - https://go.intigriti.com/discord 🎙️ This show is hosted by   / _cryptocat   ( ‪@_CryptoCat‬ ) &   / intigriti   👕 Do you want some Intigriti Swag? Check out https://swag.intigriti.com 00:00 Intro 01:55 Enable Sanitizer API in Firefox 02:41 Explore site functionality 03:38 Source code review 08:32 Setup challenge (local environment) 10:06 jquery 2.2.4 deparam prototype pollution 12:45 reCAPTCHA as a gadget 15:01 Pollute Sanitizer() config 18:37 Bypassing the domain check (remote) 20:51 Summary of intended solution 22:04 Bonus: Unintended #1 - reCAPTCHA sitekey pollution 23:17 Bonus: Unintended #2 - jquery script gadgets 25:02 Recap 26:24 Conclusion