Showing posts from August, 2020

Bug Poc XSS Challenge - Writeup

First this challnege was awesome and I learned alot from it. Description The challenge was that I should execute alert(domain) showing , and bypassing the CSP. Let's take a look on the challenge, first you will notice the script.js file from this file you will notice that there is a postMessage function on the website this mean that there is a function to  receiving the message from this postMessage and do action with it, if you searched on the the source code of the the main website you will notice that there is an iframe whcih include an HTML fila called fram.html this file is show the numbers and results of the calcuator on the website, open the source code and you will find a file frame.js , the file content first line is the listener which wait the postMessage request and the executed function is  receiveMessage on the function there is a filter on the requests domain (origin) the ReqEx have some issues which lead to bypass it the RegEx is  /^http:\/\