Intigriti released a fun little XSS challenge that required to craft a special URL that would be both used to assign an iframe’s src as well as being sent to an eval call to pop an alert(document.domain) - which was the objective of the challenge. But how do we get there? Let’s take a step back and walk our way through it.

This is my writeup for the $50M CTF by HackerOne. This was my first proper CTF and I don’t have much experience in the bug bounty world either so everything was new from the beginning to the end, including the report-writing part. What I went for in this report was more of a “bug report to a program” style and not “blog for an audience” style. Everything was not as straightforward as the report suggests, I’ll add some notes to give more context here and there. In hindsight my report was probably way too “straightforward” and lacks a lot of details about how I actually worked to come to all those conclusions. I’ll be better next time!