Just show me to the solutions already!
Fair enough:
Solution #1
Solution #2 | No user-interaction
Solution #3 | An unintended solution
Solution #3.5 | A different approach to getting XSS
It’s December and this year Christmas came early! On 7/12, a new tweet ticked in from Intigriti announcing a new challenge:
Since Intigriti recently paid out €185.000 in bounties in one day they thought it would be a good idea to make us a calculator, but it seems like it can do a bit more than intended…
The rules
The solution to the challenge should meet the following requirements:
1. Should work on the latest version of Firefox or Chrome
2. Should execute the following JS:alert(document.domain).
3. Should be executed on this domain (challenge-1220.intigriti.io)
4. Shouldn’t be self-XSS or related to MiTM…
Just show me the solution already!
Fair enough, here you go:
PoC URL: https://bugpoc.com/poc#bp-yWlmd3py
Password: RushFROG09
On 11/04, BugPoC’s latest contribution to their CTF collection kicked off. I was eagerly waiting for the challenge to go live and finally, a tweet came in:
The rules were as follows:
1. You must
alert(origin)showinghttps://wacky.buggywebsite.com2. You must bypass CSP
3. It must be reproducible using the latest version of Chrome
4. You must provide a working proof-of-concept on bugpoc.com
Cool site, what can it do?
I quickly visited the site, and was met with the following:
The functionality of the page was to make user-supplied text ‘whacky’. I brought up one of my best friends, chrome’s developer tool, and noticed the ‘whacky’ result was displayed in an…
About
