Maybe we can call this JSON injection?
- Basic knowledge of Node.js.
async function generateToken(username) {
const algorithm = 'aes-192-cbc';
const key = Buffer.from(process.env.KEY, 'hex');
// Predictable IV doesn't matter here
const iv = Buffer.alloc(16, 0);
const cipher = crypto.createCipheriv(algorithm, key, iv);
const token = `{"integrity":"${INTEGRITY}","member":0,"username":"${username}"}`
let encrypted = '';
encrypted += cipher.update(token, 'utf8', 'base64');
encrypted += cipher.final('base64');
return encrypted;
}You really just need to notice this function. Notice, the token is not created like token.username = username. It's formed in the following way:
const token = `{"integrity":"${INTEGRITY}","member":0,"username":"${username}"}`
This allows us to close the " with the help of the string we pass, and set member to a non-zero value.
We can just pass the username as ","member":"1 and the visit /api/flag.
{
"success": true,
"flag": "flag{1_c4nt_f1nd_4_g00d_p4nd4_pun}"
}
The flag is:
flag{1_c4nt_f1nd_4_g00d_p4nd4_pun}