About the challenge:

  • The target is to pop an alert() on this host
  • Tested on Chrome 80.0.3987.163
  • No user interaction allowed
  • Lets imagine that all this pages has 'X-FRAME-OPTIONS: SAMEORIGIN' header and well-configured CSP :) So the solution is a link to this page, which triggers the alert, nothing more.

    • Solved by:

  • @insertScript unintended(fixed), intended
  • @SecurityMB intended
  • @fransrosen unintended x2(fixed & new rule about iframes), intended
  • @S1r1u5_ intended
  • @shafigullin intended

    • Solution


    Solved? DM me here