<!DOCTYPE html>
<html lang="en" xmlns:msdt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:mso="urn:schemas-microsoft-com:office:office">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>
Intigriti April Challenge
</title>
<meta content="summary_large_image" name="twitter:card">
<meta content="@intigriti" name="twitter:site">
<meta content="@intigriti" name="twitter:creator">
<meta content="April XSS Challenge - Intigriti" name="twitter:title">
<meta content="Find the XSS and WIN Intigriti swag." name="twitter:description">
<meta content="https://challenge-0422.intigriti.io/share.jpg" name="twitter:image">
<meta content="https://challenge-0422.intigriti.io" property="og:url">
<meta content="website" property="og:type">
<meta content="April XSS Challenge - Intigriti" property="og:title">
<meta content="Find the XSS and WIN Intigriti swag." property="og:description">
<meta content="https://challenge-0422.intigriti.io/share.jpg" property="og:image">
<link href="https://fonts.googleapis.com/css2?family=Poppins:wght@400;700&display=swap" rel="stylesheet">
<link href="style.css" rel="stylesheet">
<!--[if gte mso 9]><xml>
<mso:CustomDocumentProperties>
<mso:MediaServiceImageTags msdt:dt="string"></mso:MediaServiceImageTags>
<mso:lcf76f155ced4ddcb4097134ff3c332f msdt:dt="string"></mso:lcf76f155ced4ddcb4097134ff3c332f>
<mso:TaxCatchAll msdt:dt="string"></mso:TaxCatchAll>
</mso:CustomDocumentProperties>
</xml><![endif]-->
</head>
<body>
<section id="wrapper">
<section id="rules">
<div class="card-container" id="challenge-container">
<div class="card-header">
<img alt="creator" class="card-avatar" src="creator.jpg">
Intigriti's April XSS challenge
<br>
By
<a href="https://twitter.com/aszx87410" target="_blank">
@aszx87410
</a>
</div>
<div class="card-content" id="challenge-info">
<p>
Find a way to execute arbitrary javascript on the iFramed page and win Intigriti swag.
</p>
<b>
Rules:
</b>
<ul>
<li>
This challenge runs from the 18th of April until the 24th of April, 11:59 PM CET.
</li>
<li>
Out of all correct submissions, we will draw
<b>
six
</b>
winners on Monday, the 25th of April:
<ul>
<li>
Three randomly drawn correct submissions
</li>
<li>
Three best write-ups
</li>
</ul>
</li>
<li>
Every winner gets a â¬50 swag voucher for our
<a href="https://swag.intigriti.com/" target="_blank">
swag shop
</a>
</li>
<li>
The winners will be announced on our
<a href="https://twitter.com/intigriti" target="_blank">
Twitter profile
</a>
.
</li>
<li>
For every 100 likes, we'll add a tip to
<a href="https://go.intigriti.com/challenge-tips" target="_blank">
announcement tweet
</a>
.
</li>
<li>
Join our
<a href="https://go.intigriti.com/discord" target="_blank">
Discord
</a>
to discuss the challenge!
</li>
</ul>
<b>
The solution...
</b>
<ul>
<li>
Should work on the latest version of Chrome
<b>
and
</b>
FireFox.
</li>
<li>
Should execute
<code>
alert(document.domain)
</code>
.
</li>
<li>
Should leverage a cross site scripting vulnerability on this domain.
</li>
<li>
Shouldn't be self-XSS or related to MiTM attacks.
</li>
<li>
Should not require any kind of user interaction. There should be a URL that when visited will present the victim with a popup
</li>
<li>
Should be reported at
<a href="https://go.intigriti.com/submit-solution">
go.intigriti.com/submit-solution
</a>
.
</li>
</ul>
<b>
Test your payloads down below and
<a href="challenge/Window%20Maker.html">
on the challenge page here
</a>
!
</b>
<p>
Let's pop that alert!
</p>
</div>
</div>
<div class="card-container">
<iframe height="600px" src="challenge/Window%20Maker.html" width="100%">
</iframe>
</div>
</section>
</section>
</body>
</html>