Solution for “A Weird XSS Case”

This challenge was created for BSidesDublin 2019, the goal was to
trigger an alert using an XSS on the domain https://bsides2019dublin.h4cktheplanet.com/.

Nobody was able to solve it during the event so we decided to keep it online for an extra week to let you play with it.

3 persons managed to solve it during this extra time:

Here is the full solution

The website is a single HTML file asking for an username.

When you submit an username some checks are made and a message tells you if the submitted username is l33t or not.

Let’s take a look at the JavaScript code.

+ Read More

The Dark Side of XSS revealed

Cross-site scripting (XSS) is one of the most common web application vulnerabilities and is still present in the OWASP Top 10-2017.

The goal of this paper is not to explain how to bypass antiXSS filter in browser or WAF protection, but to figure out what possibilities are offered by XSS vulnerabilities.

CISOs like Bug Bounty Managers need to pay attention to this kind of vulnerability which -at times- can be critical through the first steps of chaining.

+ Read More