This repository contains the code and the intended solution for the December XSS challenge of Intigriti's monthly challenge.
The challenge difficulty depends on your settigns inside of docker-compose.yml and can be set to either medium or hard.
For the monthly challenge, we choose to set the difficulty to medium.
However, the challenge also contained an unintended solution which made it very easy to solve (read the writeups below).
Everything you need to setup the challenge is inside the challenge directory. You can use docker to start it:
docker-compose up
In case of issues with the psycopg2 package on M1 Macs, try the following:
export DOCKER_DEFAULT_PLATFORM=linux/amd64
The goal is to alert the victims' username.
Your payload should work in the latest version of Chrome and FireFox.
It should also not require any kind of user interaction except the user clicking on your malicious URL.
The intended solution and an explination is inside the solution directory. DO NOT SPOILER YOURSELF!
There are also a couple of writeups from the community for the intended and unintended solution: