Rating:


> Check out my super safe website! Enter the password to get the flag

> Author: Andrew

We're given a simple website with an input. Here's the interesting parts of `main.js`:
```js
const fetchWASMCode = () => {
return new Promise((res, rej) => {
const req = new XMLHttpRequest();

req.onload = function () {
res(req.response);
}
req.onerror = (err) => {
console.warn('If you\\'re seeing this logged, something broke');
rej(err)
}
req.open("GET", "./code.wasm");
req.responseType = "arraybuffer";
req.send();
});
};
```

```js
const input = document.querySelector('input#password');
const response = document.querySelector('p#response-text');

document.querySelector('button').addEventListener('click', () => {
if (wasm) {
const memory = new Uint8Array(wasm.instance.exports.memory.buffer);
memory.set(new TextEncoder().encode(input.value + "\x00"));

const resultAddr = wasm.instance.exports.checkPassword(0);

const end = memory.indexOf(0, resultAddr);

response.innerText = "Response: " + new TextDecoder().decode(memory.subarray(resultAddr, end));
} else {
response.innerText = "Please try again in a few seconds";
}
}, 1);
```

In the second chunk you can see that `wasm.instance.exports.checkPassword` is called. In the first chunk you can see that it comes from `("GET", "./code.wasm")`. I hexdump'd the `wasm`, and found the flag in plaintext (it would also be found in `strings`...).

For completeness: When the user enters `WASMP4S5W0RD`, an element will be added below with `Response: bcactf{w4sm-m4g1c-xRz5}`

Flag: `bcactf{w4sm-m4g1c-xRz5}`

Original writeup (https://eb-h.github.io/bcactf-2021/#wasm-protected-site-1).