Hey people, 

here's a small XSS challenge: 

##Setup

> cat webserver.py 
import BaseHTTPServer
import re

class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):

    def do_GET(self):
        self.send_response(200)
        self.send_header('Content-type','text/html')
        self.end_headers()
        self.wfile.write(self.__renderHTML())
        return 

    def __renderHTML(self):
        matches = re.search("^/(\?)([^=]+)\=([^\&]+)", self.path)
        
        if matches:
            var = matches.group(3)
            return "<html><head><title>Challenge</title></head><body><script>var foo='" + var +"';</script></body></html>"
        else:
            return ""

def run(server_class=BaseHTTPServer.HTTPServer, handler_class=RequestHandler):
    server_address = ('localhost', 8000)
    httpd = server_class(server_address, handler_class)
    httpd.handle_request()
    httpd.serve_forever()

run()

> python2.7 webserver.py 
127.0.0.1 - - [17/Nov/2014 12:11:28] "GET /?foo=bar HTTP/1.1" 200 -

Then use a browser to send a GET-parameter to the webserver. E.g. http://localhost:8000/?foo=bar

> curl "http://localhost:8000/?foo=bar"
<html><head><title>Challenge</title></head><body><script>var foo='bar';</script></body></html>

##Task
Your task is to trigger a XSS. 

##Rules
- Execute alert(document.domain) 

##Hall of fame
- Peter Jaric (@peterjaric) - Unintended solution by defeating the regex. (Code updated and it shouldn't work anymore) http://localhost:8000/&a='+alert(1)+'
- Mathias Karlsson (@avlidienbrunn) - localhost:8000/?foo='-alert(document.domain)-' works in Safari

##Contact
- Twitter @internetwache