For the latest addition to YesWeHack’s Dojo series, we’re faced with the challenge of fetching the secret that EvilCorp2.0 is storing on the /secret endpoint. To obtain this secret, we need to find a way through the security mechanisms that EvilCorp2.0 has put in place for their small app. Their app is created using Deno and it allows us to specify a URL as a string, which the server will fetch for us if it passes the security mechanisms.

The security mechanisms are implemented as a function called waf. The function takes a parameter of type 'string' called str. …

Intigriti is back at it again! This month’s challenge is yet another from the amazing Inti. Let’s dive right into it!

The rules are as follows:

The solution…
- Should work on the latest version of Firefox or Chrome
- Should alert() the following flag: flag{THIS_IS_THE_FLAG}.
- Should leverage a cross site scripting vulnerability on this page.
- Shouldn’t be self-XSS or related to MiTM attacks
- Should be reported at go.intigriti.com/submit-solution

The challenge seems to revolve around this interesting component, found at the bottom of the page:

Inti has decided to give us the possibility of writing and storing…

A new month, a new challenge. Eager for a new Intigriti challenge I was happy to finally see this tweet:

Let’s jump in and read the rules!

The solution…

- Should work on the latest version of Firefox or Chrome
- Should alert() the following flag: {THIS_IS_THE_FLAG}.
- Should leverage a cross site scripting vulnerability on this page.
- Shouldn’t be self-XSS or related to MiTM attacks
- Should be reported at go.intigriti.com/submit-solution

At first sight, the page doesn’t seem to have any functionality nor provides us with a cool calculator. …

Not in the mood for reading? Fair enough, here’s the solution:
PoC URL: https://bugpoc.com/poc#bp-DAPAxYtZ
Password: huMANEemu69

Well would you look at that. A *wild* XSS challenge has appeared and it looks like my weekend plans has to be scrapped.

Let’s play a game… or maybe just pop an XSS?

Let’s start by checking out the challenge page:

The page appears to be a game where you have to pick three cards, one from each pile, and get a sum of 18. While the game looks fun, that’s not why we’re here is it? …

Just show me to the solutions already!
Fair enough:
Solution #1
Solution #2 | No user-interaction
Solution #3 | An unintended solution
Solution #3.5 | A different approach to getting XSS

It’s December and this year Christmas came early! On 7/12, a new tweet ticked in from Intigriti announcing a new challenge:

Since Intigriti recently paid out €185.000 in bounties in one day they thought it would be a good idea to make us a calculator, but it seems like it can do a bit more than intended…

The rules

The solution to the challenge should meet the following requirements:

1…

Just show me the solution already!
Fair enough, here you go:
PoC URL: https://bugpoc.com/poc#bp-yWlmd3py
Password: RushFROG09

On 11/04, BugPoC’s latest contribution to their CTF collection kicked off. I was eagerly waiting for the challenge to go live and finally, a tweet came in:

The rules were as follows:

1. You must alert(origin) showing https://wacky.buggywebsite.com
2. You must bypass CSP
3. It must be reproducible using the latest version of Chrome
4. You must provide a working proof-of-concept on bugpoc.com

Cool site, what can it do?

I quickly visited the site, and was met with the following:

The functionality of the page was to make user-supplied…