soXSS challenge

Delivered by terjanq & NDevTK

Can you take up on the yet another challenge and pop out an alert() on origin?

Your HTML code

Rendered page


The solution:
  • The challenge is over! Check out the PoC and the writeup.
  • Must work in the latest version of Chrome or Firefox.
  • Can't make use of other domains from * (including
  • Can't be a self-XSS.
  • Must be submitted in a private message to terjanq or NDevTK.
  • Must display contents of admin's file, i.e. alert(_RAW_HTML_CONTENTS_).
  • Must not require heavy user interaction (e.g. 2 clicks are acceptable).
  • The challenge was patched on 10/22/2021 4pm CEST

Hall of Fame