Writeup to Intigriti’s 0621 XSS challenge


against strict CSP policies

location=name

Executing arbitrary parentheses-less XSS against strict Content-Security-Policy’ies (CSP)

XSS Challenge


Alternative ways to retrieve table names in MySQL — without information_schema.

  • UNION … SELECT
  • information_schema
  • “in” and “or” keywords
Full blacklist with examples

Alternatives to information_schema table


Write-up based on “simple” XSS challenge by @terjanq

The challenge

  1. Displaying sanitized by DOMPurify HTML code via ?safe=html_code parameter.
  2. Embedding user’s unsafe code in…


Leaking user’s emails — Proof of Concept

A brief summary of the attack

  1. The attacker controls a malicious website, let’s call it evilwebsite.com
  2. On the malicious evilwebsite.com, the attacker removes a specific resource from the browser cache, e.g. “not found” image


Based on @SecurityMB XSS Challenge

XSS Challenge

If you are familiar with the challenge details and are only interested in knowing the solutions, I recommend scrolling down to the ‘CSP Path bypass’ section.

Task description


and the deceiver of protected.

Quick introduction:


or rather: How I am able to hijack your autosuggestions in Google Search.


Proof of Concept in action

Vulnerabilities


Content-Type: text/html

terjanq

Security enthusiast that loves playing CTFs and hunting for bugs in the wild. Also likes to do some chess once in a while. twitter.com/terjanq

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store