Exploring a Roblox exploit

Last updated: 10 months ago

This was originally converted from a Gist. It goes without saying: Don’t run anything here.

Self-XSS is a type of attack that requires the user to paste some code into their browser or console to execute code in their browser, and it often collects some client tokens and sends them away to the attacker’s server.
It goes without saying, don’t paste anything in your console or browser - and you shouldn’t run or copy anything here unless you know how to do it without accidently running it

1. Introducing… The bait:

The bait


Promise free things, who wouldn’t want that. Tbf the video has a lot of likes & comments, I guess they botted it?

2. The video

The video itself looks bad, and fake. But kids still fall for it
In the description we find the following (mindblowing) code:
Description of video


Basically this runs javascript code that navigates to configureroblox.com/api/catalog/…
Notice the “configure + roblox.com” (and path) it’s trying to look legit (hint: it isn’t).

3 The code

This returns the following code: Raw code


It has two parts: Payload2 and an async function that calls itself (and starts the ball rolling).

This function that calls itself is the one that performs the attack. After running it through JSNice:
Nicer code


This sends a request to grab the CSRF token (which is designed to prevent cross-domain attacks), and supplies it in a request to get an authentication ticket.
(This is ‘the secret’ they’re after.)
The authentication ticket is collected from the headers, and POSTed to the attacker’s server. Attack is done!

All they do now is do some ‘fake’ work to make it look like they’re doing something legit/complex, and redirect the user to the image of their charcter texture.


If you'd like to republish the contents of this post, please get in touch.