Intigriti easter XSS challenge


My solution to Intigriti’s XSS challenge is:

The decoded payload after the fragment looks something like this:

#../index.php/lolman"><iframe srcdoc="<script src=&#x22;/lol';alert(document.domain);-'&#x22;></script>">/diceme

One interesting thing to note is that most people used the reflection in the 403 page when files starting with .ht were blocked whereas I used the reflection from the PHP’s weird path handling.

As per the norm, the requests to /index.php and /index.php/anything/random are both routed to /index.php but a request to /index.php/haxed/me ended up reflecting haxed in one of the link tags in the response. The backend probably used PHP’s basename($_SERVER['SELF']) to output the link tags, leading to the issue.

Overall, the challenge was pretty unique and I applaud intrigiti for coming up with it.