Welcome to the Cure53 XSS-Mas Challenge 2014

This challenge is cruel and nasty and tricky and hard to solve. But it doesn't require you to know any browser bugs or alike. There's several pieces you have to put together. And several mini-tasks you have to solve. And you have to keep your payload short. No exclusive knowledge is required, all tricks are either part of some standard or well-known. So it's about putting those things together the right way. The short way. We do have a model solution, there is many ways to do it. The challenge can be solved on several modern browsers, no legacy browsers are allowed. The challenge is curated by @filedescriptor, @mmrupp and @0x6D6172696F. The challenge is hosted by @cure53berlin. The challenge is over, the write-up can be found here. All files are still fully functional so you can still play! Scoreboard Masato Kinugawa (292 bytes, solution working on MSIE 11) Pepe Vila (295 bytes, solution working on FF 35. Requires a click) Mathieu Kooiman (296 bytes, solution working on FF 35) Erling Eliingson (307 bytes, solution working on FF 35. Requires a click) Gábor Molnár (318 bytes, solution working on MSIE 11) Ben Hayak (364 bytes, solution working on FF 35 and Chrome) Alex Inführ & Rafay Baloch (573 bytes, solution working on FF 35) Prizes The winner, once determined, will receive €750 EUR . The jackpot might grow over time as it did last year.

. The jackpot might grow over time as it did last year. The 2nd prize will be rewarded with €250 EUR. Thanks to @mmrupp for donating!

The winner will also get ownership to the domain xss.guru from @irsdl!

from @irsdl! UPDATE: To avoid confusion about what counts as user interaction and what doesn't:

The shortest submission without any user interaction (no clicks, mouseovers, etc.) will win a special cash-prize independently from the actual score

Tasks & Rules

This page has a vulnerable parameter you may use. Use it wisely.

Only two pages are allowed for solving the challenge. This one and the one linked below.

Alert the secret token. You will know it when you see it.

User interaction is not required. You know what we mean when you see it :)

required. You know what we mean when you see it :) The token can, if stars are aligned properly, be found here: Gimme the token!

The shortest vector (in bytes) will win fame and sweet sweet money

The challenge ends on 31st of January 2015

I did it!

That is amazing! Please send your payload and an explanation how you did it to mario@cure53.de.