Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
XSS Challenge DOM Clobbering
<!doctype html><meta charset=utf-8>
<title>SecurityMB's Security Challenge</title>
<style>
* {
font-family: monospace;
}
textarea {
width:100%;
height:90px;
}
iframe {
border: 1px solid;
width: 100%;
height: 200px;
}
</style>
<script src=./dompurify-2.0.1.js nonce=abcd></script>
<h1>XSS challenge</h1>
<p><b>Rules:</b></p>
<ul>
<li>Please enter some HTML. It gets sanitized and shown in the iframe.</li>
<li>The task is: execute alert(1) (it must actually execute so you have to bypass CSP as well).</li>
<li>The solution must work on current version of at least one major browser (Chrome, Firefox, Safari, Edge).</li>
<li>If you find a solution, please DM me at Twitter: <a href="https://twitter.com/SecurityMB">@SecurityMB</a>.</li>
<li>DOMPurify has been updated to 2.0.1 so you cannot exploit <a href=https://twitter.com/cure53berlin/status/1174617047076147202>the latest mXSS</a>.</li>
</ul>
<p><b>Solvers:</b></p>
<ul>
<li><a href="https://twitter.com/bonaff3">@bonaff3</a></li>
<li><a href="https://twitter.com/haqpl">@haqpl</a></li>
<li><a href="https://twitter.com/fluxfingers">@fluxfingers</a></li>
<li><a href="https://twitter.com/terjanq">@terjanq</a></li>
<li><a href="https://twitter.com/zoczus">@zoczus</a></li>
<li><a href="https://twitter.com/abdulahhusam">@Abdulahhusam</a></li>
<li><a href="https://twitter.com/RootEval">@RootEval</a></li>
<li><a href="https://twitter.com/BenHayak">@BenHayak</a></li>
<li><a href="https://twitter.com/insertscript">@insertScript</a> and <a href="https://twitter.com/garethheyes">@garethheyes</a></li>
<li><a href="https://twitter.com/sirdarckcat">@sirdarckcat</a></li>
</ul>
<textarea autofocus oninput=debouncedProcess() id=input></textarea><br>
Length of the solution URL: <span id=len></span><br>
<iframe sandbox="allow-scripts allow-modals" id=ifr></iframe>
<script nonce=abcd>
const input = document.getElementById('input');
const iframe = document.getElementById('ifr');
const mainUrl = location.href.split('?')[0];
// from: https://stackoverflow.com/a/24004942
function debounce(func, wait, immediate) {
var timeout;
return function() {
var context = this,
args = arguments;
var callNow = immediate && !timeout;
clearTimeout(timeout);
timeout = setTimeout(function() {
timeout = null;
if (!immediate) {
func.apply(context, args);
}
}, wait);
if (callNow) func.apply(context, args);
}
}
function process() {
const sanitized = DOMPurify.sanitize(input.value);
history.replaceState(null, null, mainUrl + '?xss=' + encodeURIComponent(input.value));
const html = `
<meta http-equiv=Content-Security-Policy content="script-src https://pastebin.com/how-can-i-escape-this/ 'nonce-xyz' https://securitymb.github.io/xss/1/modules/v20190816/">
<h1>Homepage!</h1>
<p>Welcome to my homepage! Here are some info about me:</p>
${sanitized}
<script nonce=xyz src="./main.js"><\/script>
`;
iframe.srcdoc=html;
len.textContent = location.href.length;
}
input.value = new URL(location).searchParams.get('xss');
window.debouncedProcess = debounce(process, 100);
debouncedProcess();
</script>
const sanitized = DOMPurify.sanitize(input.value);
const html = `
<meta http-equiv=Content-Security-Policy content="script-src https://pastebin.com/how-can-i-escape-this/ 'nonce-xyz' https://securitymb.github.io/xss/1/modules/v20190816/">
<h1>Homepage!</h1>
<p>Welcome to my homepage! Here are some info about me:</p>
${sanitized}
<script nonce=xyz src="./main.js"><\/script>
`;
iframe.srcdoc=html;
len.textContent = location.href.length;
window.CONFIG = window.CONFIG || {
version: "v20190816",
test: false,
appName: "XSS Challenge",
}
function loadModule(moduleName) {
const scriptSrc = new URL(document.currentScript.src);
let url = '';
if (CONFIG.test && window.testPath) {
url = window.testPath.protocol + '//' + window.testPath.host;
} else {
url = scriptSrc.origin;
}
url += `/xss/1/modules/${CONFIG.version}/${moduleName}.js`;
const sc = document.createElement('script');
sc.src = url;
document.body.appendChild(sc);
}
loadModule('h1-magic');
loadModule('tracker');
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment