XSS Challenge - Show Your Skills!

Greets to all security researchers! :wave:

Hope you are all fine. Because we have a great XSS challenge for you! :heart_eyes:

As security researchers of team VULLNERAB1337, we have just created an XSS challenge with Bugcrowd’s sponsorship, and I am proud of announcing this awesome challenge.

Rewards:

  • Top 3 researchers will win Bugcrowd T-Shirt

  • 4th-10th researchers will win Bugcrowd stickers and VULLNERABILITY stickers.

  • We will credit the participated researcher’s names and Twitter accounts on this post and VULLNERABILITY challenge page. :clap:

  • Also, we would like to publish the most detailed writeup and credit the author! :medal_sports:

Scenario:
Devplanet is a software development company that is hiring. They are calling for best developers and they have created an online application form. Discover XSS vulnerabilities on this platform and prove them your skills.

Challenge starts: 04.08.2020 / 15:00 UTC

Challenge expires: 07.08.2020 / 15:00 UTC

Tips: We will publish a new tip for every 50 likes. Please follow @bugcrowd and @vullnerab1337 Twitter accounts to don’t miss tips and announcements about challenges. See the latest tips:

https://twitter.com/VULLNERAB1337/status/1290666901849374726

Rules:

  • Please don’t share the answer or writeup with others.

  • There are multiple XSS vulnerabilities in this challenge. The researcher who has detected more vulnerabilities and submitted to us fastest will earn more score.

  • It is just a challenge and there is no company called Devplanet. So, please don’t use your real information while registering for the website and testing the application.

  • You don’t need to use any brute-force or fuzzing tool. Also, using automated tools are not allowed. Otherwise, we may block your IP address and you may be disqualified from the challenge.

  • Please just focus on XSS vulnerabilities. Other submissions will not count as valid and please don’t crash the website or don’t attack it.

  • Please use a payload to alert document.domain and get a pop-up that includes the domain name. Other payloads will not count as valid.

  • If there is Content-Security-Policy protection, please bypass this. Otherwise, your answer will not count as valid.

  • Your payloads have to work for the latest versions of Chrome or Firefox browsers.

  • After the challenge, we will contact with top 10 researchers to give rewards. So, we may need some of your personal information like name, e-mail, address, etc.

Challenge URL: https://lab.takeover.host

Have you solved the challenge? Submit your step-by-step solutions to info@vullnerability.com address.

As I mentioned, we will especially publish the most-detailed writeup and credit the author.

Thanks for participating! :smiling_face_with_three_hearts:

2 Likes

Challenge is over! Thanks to all participants and Bugcrowd team! :smiling_face_with_three_hearts:

It’s the most detailed write-up: Bugcrowd & Vullnerability XSS Challenge by @BenkoOfficial :face_with_monocle:

I am proud of announcing the solvers:

  1. Rodolfo Assis (@rodoassis)
  2. Ademar Nowasky Junior (@nowaskyjr)
  3. OfficialBenko (@BenkoOfficial)
  4. Roni Carta (@0xLupin)
  5. Nicolas Christin (@acut3hack)
  6. Arwildo Belekubun (@arwildo)
  7. Devyn (@devyn)
  8. Buğra Eskici (@bugraeskici)
  9. Aniket Patel (@Aniket_Patel12)
  10. R4GN4R (@chr_jim)
  11. Numan Türle (@numanturle)
  12. Akhmad Yudha (@Akhmad_Yudha)
  13. Hao (@haoneses)
  14. Enes (@EnesSaltk7)
  15. Enes HAZIR (@eneshazr)
  16. Tolga Demirayak (@TolgaDemirayak)
  17. Sudhanshu Rajbhar (@sudhanshur705)
  18. Patrick Nassef (@Patrick0x41)

Other write-ups, videos and resources: (Feel free to send me yours.)

XSS is the ability to execute JavaScript inside the browser of anyone who visits a specific webpage usually by injecting a combination of HTML and JavaScript.

1 Like