This is a security challenge I developed for HackFortress at DEF CON 2014. It scores your ability to craft an XSS exploit.
Try it out and let me know if you solve it.
Open the challenge in your browser. Finding the instructions is (an easy) part of the challenge.
Your score is returned from /stolen_data
and is based upon three concerns:
- Did you steal the correct information?
- Did you actually perform code injection in the browser?
- Did you do it without making the page appear compromised?
The backend runs a number of checks upon the compromised page usingrjsdom
,
so it's not particularly easy to cheat.
Ensure ./node_modules/.bin
is in your path, then run:
npm install
npm start
open http://localhost:3000