Hey people, here's a small XSS challenge: ##Setup > cat webserver.py import BaseHTTPServer import re class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): def do_GET(self): self.send_response(200) self.send_header('Content-type','text/html') self.end_headers() self.wfile.write(self.__renderHTML()) return def __renderHTML(self): matches = re.search("^/(\?)([^=]+)\=([^\&]+)", self.path) if matches: var = matches.group(3) return "Challenge" else: return "" def run(server_class=BaseHTTPServer.HTTPServer, handler_class=RequestHandler): server_address = ('localhost', 8000) httpd = server_class(server_address, handler_class) httpd.handle_request() httpd.serve_forever() run() > python2.7 webserver.py - - [17/Nov/2014 12:11:28] "GET /?foo=bar HTTP/1.1" 200 - Then use a browser to send a GET-parameter to the webserver. E.g. http://localhost:8000/?foo=bar > curl "http://localhost:8000/?foo=bar" Challenge ##Task Your task is to trigger a XSS. ##Rules - Execute alert(document.domain) ##Hall of fame - Peter Jaric (@peterjaric) - Unintended solution by defeating the regex. (Code updated and it shouldn't work anymore) http://localhost:8000/&a='+alert(1)+' - Mathias Karlsson (@avlidienbrunn) - localhost:8000/?foo='-alert(document.domain)-' works in Safari ##Contact - Twitter @internetwache