Intigiriti’s November challenge by IvarsVids was about a Vue.js one-pager that reflected user input with some replacements. After visiting the challenge homepage at https://challenge-1121.intigriti.io/ we quickly notice it reflects
s query parameter not escaping HTML less than and greater than signs resulting in HTML injection.
This month’s challenge, made by Holme, was a little bit different than the ones I have previously solved as it had a server-side processing issue.
At this year’s Armsec seventh annual information security conference - reARMSEC, I made a small presentation (Google slides, PDF version) on why the modern web is hard describing HackerOne’s top 10 most impactful and rewarded vulnerability types for 2020. As for the real-life examples of the bugs, I gathered reports mostly from HackerOne’s Hacktivity.
This month’s Intigriti’s XSS challenge was interesting as a couple of hours after Frans Rosén submitted an unintended solution, and I got interested in that one more than in the original.