CSP ruined my Pentest-Report!
Wait, yours too? Let's do something about it :)
Welcome to yet another XSS challenge. This time, you, the fellow contestant, are confronted with a powerful adversary: The Content Security Policy.
CSP is cool. Even if the websites in scope are injectable, an attacker cannot do no nothing no more. Perfect.
Let's throw escaping, encoding and filtering overboard because the magic headers will protect us! Yay :D
But is CSP really that powerful? Will it really be the end of XSS - or is there a way around in many situations just like this one?
Let's see. Your goal is to inject payload that causes an alert(1337) to fire.
The Writeup
The challenge is over, here's the writeup!
The Rules
- Execute
alert(1337) via GET parameter xss on this domain
- Only modern browsers that support CSP are accepted (FF38+, Chrome 43+, Edge)
- Please don't try to find a file that echoes "alert(1337)" on this domain. Even if you find one, it would not be a valid solution.
- There is at least one model solution.
- Minimal user interaction is permitted
- In the end, the shortest vector will win.
The Winners
- @mage_1868 with unexpected but fully valid 107 bytes! Wow! (9th of July 2015)
- @stamparm with another 107 characters (9th of July 2015)
- @kinugawamasato, now also with 107 bytes (9th of July 2015)
- @en4rab with another 107 bytes (10th of July 2015)
- @garethheyes from the Scottish Highlands with 107 bytes (11th of July 2015)
- @cbothamy with only but 115 bytes of payload (10th of July 2015)
- @vokiel with another 115 bytes (13th of July 2015)
- @filedescriptor with sensational 127 bytes (9th of July 2015)
- @freddyb with no more than 127 bytes of glory (9th of July 2015)
- @benhayak with another 127 bytes (10th of July 2015)
- @cgvwzq with 127 bytes (10th of July 2015)
- @iwasakinoriaki with 127 bytes (10th of July 2015)
- @tyage with competitive 128 bytes (9th of July 2015)
- @slekies with another 128 bytes (9th of July 2015)
- @fransrosen with 128 bytes (9th of July 2015)
- @securitymb with 128 bytes (9th of July 2015)
- @bmantra and Alenvers with 128 bytes (10th of July 2015)
- @ru_raz0r with another 128 bytes (13th of July 2015)
- InfernalQuack with elegant 129 bytes (11th of July 2015)
- @kuza55 with 132 bytes (9th of July 2015)
- @p_wiaderny with another 132 bytes (11th of July 2015)
- @tehjh with a very unorthodox approach using 191 bytes (9th of July 2015)
- @avlidienbrunn with very unconventional, user-interaction-free 217 bytes (9th of July 2015)
- You?
You solved it? Send an email to [email protected].