Challenge: can you view my source?

I cheated and used REnigma to make a recording of chrome.exe running the alert in a VM. Then I found an execution point where the alert was on screen, made a memory dump, and ran the strings analysis the chrome.exe parent process (which acts as a sandbox for the rendering processes and handles all system interactions). That gave me the all of the virtual addresses where that string existed (there were several copies). I then hooked up GDB to remotely debug the replay at that execution point and dumped the strings near that address to extract the complete file.

0x25ca4b13381: "\t/<202e>/if(!window._enabled){window._enabled=true;document.querySelector(\"button\").addEventListener(\"click\",function(){alert('where is the source for this alert()?');});};/<202e>/;function isTouchDevic"... (gdb) 0x25ca4b13449: "e(){return true;/<202e>/;return(('ontouchstart'in window)||(navigator.maxTouchPoints>0)||(navigator.msMaxTouchPoints>0));};/<202e>/;if(!isTouchDevice()){setTimeout(function(){setInterval(function(){if(g"... (gdb) 0x25ca4b13511: "etComputedStyle(document.documentElement).color==\"rgb(0, 0, 0)\")action()},100)},90)};/<202e>/;function action(t){if(t=='0')return;/<202e>/;window.history.pushState(\".\",\"/haha\",\"/haha\");location=\"/haha\";"... (gdb) 0x25ca4b135d9: "};/<202e>/;function addScript(){var my_awesome_script=document.createElement('script');my_awesome_script.setAttribute('src','main.js?i=d9c89773dd');document.body.appendChild(my_awesome_script);};/<202e>"... (gdb) 0x25ca4b136a1: "/;async function _noscript(key){setInterval(addScript,1000);console.log(\"%c\"+key,\"background-image:url(/ping?type=img&key=\"+key+\")\");setInterval(function(){fetch(\"/get?key=\"+key).then((r)=>r.text()).t"... (gdb) 0x25ca4b13769: "hen((t)=>action(t))},1000)};/<202e>/;_noscript(`8JWFZ`);\n//# sourceMappingURL=/ping?type=src&key=8JWFZ\n//\a\033[2Jnothing to see here!\257\244\\\002"

I really appreciate to not see the full solutions in the comments :-) Was a very nice puzzle and I would appreciate an article by the author on how it is exactly done and how he came up with the idea...

Thanks man.

My user agent can execute it, so I presume if I were to make the same requests in the same order with the same params, I'd be able to see it. I don't care to actually do it though, only to know that it could be done if there was actual motivation.

Cole added a v2 after a few dozen folks solved the first version. v2 was a bit trickier, but took me about the same amount of time since I didn't have to solve it all from scratch, just the weird new bits. Looking forward to v3!

The button doesn't do anything in Firefox or Edge by the way.

Just reading the page is challenge in itself. It seems to timeout after 5 seconds and redirects to /haha. (Chrome/Android)

Got it (although it doesn't seem to work on MSIE), which I guess is fine. However, it reminded me of https://www.sitepoint.com/community/t/i-found-a-way-to-hide-....

It's easy enough to dump the responses as HAR and run the little bit of of char code manipulation at the bottom (replace eval() with document.write() to see it). The button doesn't work in Firefox though, so I wasn't too surprised to get incomplete source code out too.

The sourcemap trick is really nice, I wouldn't have thought of that.

I couldn't get it in the web inspector or with mitmproxy :(

Seems easy enough, I just opened devtools, enabled breakpoint on XHR and refreshed page, it drops straight into debugger with full code.

I'll give you a hint: the page knows when you have DevTools open. Now, how could it do that?

If my computer can get it, I can get it. It's a matter of ownership.

wget worked for me

Seems it works only in Chrome (not Firefox). Nice one, though.

Charles Proxy captures the traffic just fine.

Got it, took me a sec