Greets to all security researchers!
Hope you are all fine. Because we have a great XSS challenge for you!
As security researchers of team VULLNERAB1337, we have just created an XSS challenge with Bugcrowd’s sponsorship, and I am proud of announcing this awesome challenge.
Top 3 researchers will win Bugcrowd T-Shirt
4th-10th researchers will win Bugcrowd stickers and VULLNERABILITY stickers.
We will credit the participated researcher’s names and Twitter accounts on this post and VULLNERABILITY challenge page.
Also, we would like to publish the most detailed writeup and credit the author!
Devplanet is a software development company that is hiring. They are calling for best developers and they have created an online application form. Discover XSS vulnerabilities on this platform and prove them your skills.
Challenge starts: 04.08.2020 / 15:00 UTC
Challenge expires: 07.08.2020 / 15:00 UTC
Tips: We will publish a new tip for every 50 likes. Please follow @bugcrowd and @vullnerab1337 Twitter accounts to don’t miss tips and announcements about challenges. See the latest tips:
Please don’t share the answer or writeup with others.
There are multiple XSS vulnerabilities in this challenge. The researcher who has detected more vulnerabilities and submitted to us fastest will earn more score.
It is just a challenge and there is no company called Devplanet. So, please don’t use your real information while registering for the website and testing the application.
You don’t need to use any brute-force or fuzzing tool. Also, using automated tools are not allowed. Otherwise, we may block your IP address and you may be disqualified from the challenge.
Please just focus on XSS vulnerabilities. Other submissions will not count as valid and please don’t crash the website or don’t attack it.
Please use a payload to alert document.domain and get a pop-up that includes the domain name. Other payloads will not count as valid.
If there is Content-Security-Policy protection, please bypass this. Otherwise, your answer will not count as valid.
Your payloads have to work for the latest versions of Chrome or Firefox browsers.
After the challenge, we will contact with top 10 researchers to give rewards. So, we may need some of your personal information like name, e-mail, address, etc.
Challenge URL: https://lab.takeover.host
Have you solved the challenge? Submit your step-by-step solutions to firstname.lastname@example.org address.
As I mentioned, we will especially publish the most-detailed writeup and credit the author.
Thanks for participating!