terjanq · September 23, 2019 14:55
diff --git a/full_challenge.html b/full_challenge.html

 <!doctype html><meta charset=utf-8>
 <title>SecurityMB's Security Challenge</title>
 <style>
 * {
  font-family: monospace;
 }  
 textarea {
  width:100%;
  height:90px;
 }
 iframe {
  border: 1px solid;
  width: 100%;
  height: 200px;
 }
 </style>
 <script src=./dompurify-2.0.1.js nonce=abcd></script>
 <h1>XSS challenge</h1>
 <p><b>Rules:</b></p>
 <ul>
 <li>Please enter some HTML. It gets sanitized and shown in the iframe.</li>
 <li>The task is: execute alert(1) (it must actually execute so you have to bypass CSP as well).</li>
 <li>The solution must work on current version of at least one major browser (Chrome, Firefox, Safari, Edge).</li>
 <li>If you find a solution, please DM me at Twitter: <a href="https://twitter.com/SecurityMB">@SecurityMB</a>.</li>
 <li>DOMPurify has been updated to 2.0.1 so you cannot exploit <a href=https://twitter.com/cure53berlin/status/1174617047076147202>the latest mXSS</a>.</li>
 </ul>

 <p><b>Solvers:</b></p>
 <ul>
  <li><a href="https://twitter.com/bonaff3">@bonaff3</a></li>
  <li><a href="https://twitter.com/haqpl">@haqpl</a></li>
  <li><a href="https://twitter.com/fluxfingers">@fluxfingers</a></li>
  <li><a href="https://twitter.com/terjanq">@terjanq</a></li>
  
  <li><a href="https://twitter.com/zoczus">@zoczus</a></li>
  <li><a href="https://twitter.com/abdulahhusam">@Abdulahhusam</a></li>
  <li><a href="https://twitter.com/RootEval">@RootEval</a></li>
  <li><a href="https://twitter.com/BenHayak">@BenHayak</a></li>
  <li><a href="https://twitter.com/insertscript">@insertScript</a> and <a href="https://twitter.com/garethheyes">@garethheyes</a></li>
  <li><a href="https://twitter.com/sirdarckcat">@sirdarckcat</a></li>
  
 </ul>
 <textarea autofocus oninput=debouncedProcess() id=input></textarea><br>
 Length of the solution URL: <span id=len></span><br>
 <iframe sandbox="allow-scripts allow-modals" id=ifr></iframe>
 <script nonce=abcd>
  const input = document.getElementById('input');
  const iframe = document.getElementById('ifr');
  const mainUrl = location.href.split('?')[0];
  
  // from: https://stackoverflow.com/a/24004942
  function debounce(func, wait, immediate) {
    var timeout;

    return function() {
      var context = this,
        args = arguments;

      var callNow = immediate && !timeout;
      clearTimeout(timeout);
      timeout = setTimeout(function() {

      timeout = null;

      if (!immediate) {
          func.apply(context, args);
        }
      }, wait);

      if (callNow) func.apply(context, args);
    }
  }
  
  function process() {
    const sanitized = DOMPurify.sanitize(input.value);
    history.replaceState(null, null, mainUrl + '?xss=' + encodeURIComponent(input.value));
    
    const html = `
 <meta http-equiv=Content-Security-Policy content="script-src https://pastebin.com/how-can-i-escape-this/ 'nonce-xyz' https://securitymb.github.io/xss/1/modules/v20190816/">
 <h1>Homepage!</h1>
    <p>Welcome to my homepage! Here are some info about me:</p>
    ${sanitized}
    <script nonce=xyz src="./main.js"><\/script>
    `;
    
    iframe.srcdoc=html;
    len.textContent = location.href.length;
  }
  
  input.value = new URL(location).searchParams.get('xss');
  
  window.debouncedProcess = debounce(process, 100);
  debouncedProcess();


 </script>
diff --git a/injection_point.js b/injection_point.js
 const sanitized = DOMPurify.sanitize(input.value);

 const html = `
  <meta http-equiv=Content-Security-Policy content="script-src https://pastebin.com/how-can-i-escape-this/ 'nonce-xyz' https://securitymb.github.io/xss/1/modules/v20190816/">
  <h1>Homepage!</h1>
  <p>Welcome to my homepage! Here are some info about me:</p>
  ${sanitized}
  <script nonce=xyz src="./main.js"><\/script>
 `;

 iframe.srcdoc=html;
 len.textContent = location.href.length;
diff --git a/main.js b/main.js
 window.CONFIG = window.CONFIG || {
  version: "v20190816",
  test: false,
  appName: "XSS Challenge",
 }

 function loadModule(moduleName) {
  const scriptSrc = new URL(document.currentScript.src);
  let url = '';
  
  
  if (CONFIG.test && window.testPath) {
    url = window.testPath.protocol + '//' + window.testPath.host;
  } else {
    url = scriptSrc.origin;
  }
  url += `/xss/1/modules/${CONFIG.version}/${moduleName}.js`;
  const sc = document.createElement('script');
  sc.src = url;
  document.body.appendChild(sc);
 }

 loadModule('h1-magic');
 loadModule('tracker');

	<!doctype html><meta charset=utf-8>
	<title>SecurityMB's Security Challenge</title>
	<style>
	* {
	font-family: monospace;
	}
	textarea {
	width:100%;
	height:90px;
	}
	iframe {
	border: 1px solid;
	width: 100%;
	height: 200px;
	}
	</style>
	<script src=./dompurify-2.0.1.js nonce=abcd></script>
	<h1>XSS challenge</h1>
	<p><b>Rules:</b></p>
	<ul>
	<li>Please enter some HTML. It gets sanitized and shown in the iframe.</li>
	<li>The task is: execute alert(1) (it must actually execute so you have to bypass CSP as well).</li>
	<li>The solution must work on current version of at least one major browser (Chrome, Firefox, Safari, Edge).</li>
	<li>If you find a solution, please DM me at Twitter: <a href="https://twitter.com/SecurityMB">@SecurityMB</a>.</li>
	<li>DOMPurify has been updated to 2.0.1 so you cannot exploit <a href=https://twitter.com/cure53berlin/status/1174617047076147202>the latest mXSS</a>.</li>
	</ul>

	<p><b>Solvers:</b></p>
	<ul>
	<li><a href="https://twitter.com/bonaff3">@bonaff3</a></li>
	<li><a href="https://twitter.com/haqpl">@haqpl</a></li>
	<li><a href="https://twitter.com/fluxfingers">@fluxfingers</a></li>
	<li><a href="https://twitter.com/terjanq">@terjanq</a></li>

	<li><a href="https://twitter.com/zoczus">@zoczus</a></li>
	<li><a href="https://twitter.com/abdulahhusam">@Abdulahhusam</a></li>
	<li><a href="https://twitter.com/RootEval">@RootEval</a></li>
	<li><a href="https://twitter.com/BenHayak">@BenHayak</a></li>
	<li><a href="https://twitter.com/insertscript">@insertScript</a> and <a href="https://twitter.com/garethheyes">@garethheyes</a></li>
	<li><a href="https://twitter.com/sirdarckcat">@sirdarckcat</a></li>

	</ul>
	<textarea autofocus oninput=debouncedProcess() id=input></textarea><br>
	Length of the solution URL: <span id=len></span><br>
	<iframe sandbox="allow-scripts allow-modals" id=ifr></iframe>
	<script nonce=abcd>
	const input = document.getElementById('input');
	const iframe = document.getElementById('ifr');
	const mainUrl = location.href.split('?')[0];

	// from: https://stackoverflow.com/a/24004942
	function debounce(func, wait, immediate) {
	var timeout;

	return function() {
	var context = this,
	args = arguments;

	var callNow = immediate && !timeout;
	clearTimeout(timeout);
	timeout = setTimeout(function() {

	timeout = null;

	if (!immediate) {
	func.apply(context, args);
	}
	}, wait);

	if (callNow) func.apply(context, args);
	}
	}

	function process() {
	const sanitized = DOMPurify.sanitize(input.value);
	history.replaceState(null, null, mainUrl + '?xss=' + encodeURIComponent(input.value));

	const html = `
	<meta http-equiv=Content-Security-Policy content="script-src https://pastebin.com/how-can-i-escape-this/ 'nonce-xyz' https://securitymb.github.io/xss/1/modules/v20190816/">
	<h1>Homepage!</h1>
	<p>Welcome to my homepage! Here are some info about me:</p>
	${sanitized}
	<script nonce=xyz src="./main.js"><\/script>
	`;

	iframe.srcdoc=html;
	len.textContent = location.href.length;
	}

	input.value = new URL(location).searchParams.get('xss');

	window.debouncedProcess = debounce(process, 100);
	debouncedProcess();


	</script>
	window.CONFIG = window.CONFIG \|\| {
	version: "v20190816",
	test: false,
	appName: "XSS Challenge",
	}

	function loadModule(moduleName) {
	const scriptSrc = new URL(document.currentScript.src);
	let url = '';


	if (CONFIG.test && window.testPath) {
	url = window.testPath.protocol + '//' + window.testPath.host;
	} else {
	url = scriptSrc.origin;
	}
	url += `/xss/1/modules/${CONFIG.version}/${moduleName}.js`;
	const sc = document.createElement('script');
	sc.src = url;
	document.body.appendChild(sc);
	}

	loadModule('h1-magic');
	loadModule('tracker');