Skip to content

Instantly share code, notes, and snippets.

View Siss3l's full-sized avatar
🦊

Sissel Siss3l

🦊
View GitHub Profile
@Siss3l
Siss3l / chall.md
Last active October 9, 2025 13:54
Monthly Code Challenge 2025

Monthly Code Challenge 2025

We have this month some little challenges for the price of one.

XSS

XSS

<?php
@Siss3l
Siss3l / 0825.md
Last active August 27, 2025 17:08
Intigriti August 2025 XSS Challenge @0xblackbird

Intigriti August 2025 XSS Challenge

Chall

Description

The solution:

  • Should not exploit 0-day or Chromium RCE;
  • Should leverage RCE on the server without sandbox;
  • Should include the flag in the format INTIGRITI{...};
@Siss3l
Siss3l / 0725.md
Last active August 30, 2025 15:19
Intigriti 2025 Web Challenge

Intigriti 2025 Web Challenge

Chall

Description

The solution:

  • Should work on the latest version of Firefox and Chromium. Due to recent changes, the --disable-features=EscapeLtGtInAttributes startup flag is required for Chromium, and in Firefox set dom.security.html_serialization_escape_lt_gt=false in about:config (this check should says "does NOT escape");
  • Should leverage a cross site scripting vulnerability on this domain;
@Siss3l
Siss3l / 0625.mdx
Last active June 27, 2025 11:12
Intigriti June 2025 XSS Challenge @ToGiDoG

Intigriti June 2025 XSS Challenge

Chall

Description

The solution:

  • Should not exploit 0-day or Chromium RCE;
  • Should leverage RCE on the server without sandbox;
  • Should also include the flag in the format INTIGRITI{.*};
@Siss3l
Siss3l / 0525.md
Last active May 17, 2025 10:18
Intigriti May 2025 XSS Challenge @joaxcar

Intigriti May 2025 XSS Challenge

Chall

Description

The solution:

  • Should pop alert;
  • Should not be self-XSS or related to MiTM attacks;
  • Should leverage a cross site scripting vulnerability on this domain;
@Siss3l
Siss3l / bonus.md
Last active May 13, 2025 11:48
Intigriti March 2025 Bonus Web Challenge

Intigriti March 2025 Bonus Web Challenge

Resolution

Based on the website working with NextJS and XML edition, we suspect that related recent exploits are needed to easily solve this challenge:

# On local host
flag = __import__("json").loads(__import__("requests").post(
  "https://hackdonalds.intigriti.io/api/parse-xml",
@Siss3l
Siss3l / 0325.md
Last active April 5, 2025 18:20
Intigriti March 2025 XSS Challenge @0x999-x

Intigriti March 2025 XSS Challenge

Challenge

Description

The solution:

  • Should leverage a cross site scripting vulnerability on this domain;
  • Should work on the latest version of Chromium and Firefox;
@Siss3l
Siss3l / escape.md
Last active April 5, 2025 18:20
XSS Web Challenge 2025 @RenwaX23

Renwa XSS Iframe Escape Web Challenge 2025

Description

Pop the alert().

Chall

Overview

@Siss3l
Siss3l / poc.md
Last active April 5, 2025 18:20
DOMPurify 3.2.4 February XSS Challenge

DOMPurify 3.2.3 February XSS Challenge

Description

Pop an alert.

Chall

The solution:

@Siss3l
Siss3l / gen10.py
Created January 31, 2025 14:38
Genuary Art 2025 #genuary10 #genuary
"""JAN Ten (credit: Darien Brito) | You can only use TAU in your code, no other number allowed."""
from flask import Flask, Response, request
app = Flask(__name__)
@app.route("/", methods=["GET"])
def start() -> Response:
return Response("""
<!DOCTYPE html>
<html>
<head>
<script src="./p.js"></script>