In-depth write-up of BugPoC’s XSS Challenge

Sa~a, hajimeyou(Let’s Begin)

On visiting the challenge’s page at, there is a text box where we can input some text and then the text gets converted to wacky text upon submitting the value. The textbox accepts every character except these &*<>%. The interaction can be seen below.

Syntax: Code between <! — here — > are the code highlighted and to be understood in the snippets

1. Not in a frame?

On visiting the frame.html page, the page says the page can only be viewed from an iframe.

2. Injecting stuff onto the page

So after the environment is properly ready for further solving. Passing anything in ?param=our_input gets reflected inside the <title></title> tag as shown in the picture below

3. Understanding and Bypassing the CSP

HTTP/2 200
date: Sun, 08 Nov 2020 14:48:05 GMT
content-type: text/html
content-length: 5098
server: AmazonS3
x-amz-id-2: SgB2PKz+mg9BDT2OlvE9TFDpu0snGBmhn3XnoYIMJ871OPZ/IRSSXQUAdPjwOeCcY1AUCtUvwbI=
etag: "a0fb3b12a1f41a3c5cdea1fbf67ab1ad"
accept-ranges: bytes
content-security-policy: script-src 'nonce-aofcyyfctbga' 'strict-dynamic'; frame-src 'self'; object-src 'none';
x-amz-request-id: 47F508C8F9A5EC8C
last-modified: Wed, 28 Oct 2020 15:07:02 GMT
x-frame-options: SAMEORIGIN
apigw-requestid: VsW93htwPHcEMQA=

3. <base> for the rescue

Base tag defines the base URL for relative URLs meaning if we do something like below, the “x.html” resource gets loaded like //

<base href=//><a href=’x.html’>Clickme</a>

4. DOM Clobbering :D

So i started looking at fileIntegrity variable and by the way it was coded, it could be clobbered. You can see from the below picture.

?param=</title><base href=''></head><body><a id='fileIntegrity'></a><a id='fileIntegrity' name=value href='sss'></a>



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store