Description

Find an XSS vulnerability on https://challenge-0421.intigriti.io and win Intigriti swag. This is a guest challenge created by https://twitter.com/terjanq, based on a real-world vulnerability!

Bounties

Responsible disclosure

Domains

https://challenge-0421.intigriti.io

Tier 2
URL
In scope

Update 21/04

Hey hackers,

We notice some of you are struggeling with the 10 second timeframe you'll need to get your PoC triggered.
While it is technically possible and we've had solutions that did it in only a few seconds, we're more than happy to accept solutions that take longer than 10 seconds as well, given the difficulty level of the challenge.

Happy hacking!

Go to the challenge

Rules:

  • Please do NOT reveal the solution until the challenge is over! After that, feel free to send us your videos / writeups and we'll share them. If you'd like to have your writeup qualify for the contest, send it in before monday!
  • This challenge runs from April 19th until April 25nd, 11:59 PM CET.
  • Out of all correct submissions, we will draw six winners on Monday, April 26nd (3 randomly drawn, 3 best write-ups)
  • Every winner gets a €50 swag voucher for our swag shop.
  • The winner will be announced on our Twitter profile.
  • For every 100 likes, we'll add a tip to the announcement tweet.

The solution...

  • Should be reported on this program
  • Should work on the latest version of Firefox or Chrome
  • Should leverage a cross site scripting vulnerability on the challenge page (javascript should execute on challenge-0421.intigriti.io)
  • Should not use any user interaction (a popup is allowed, note from challenge creator: either click on unlimited popups or exceeded 10s (but reasonably, not like 10 minutes to calculate), but not both at the same time))
  • Shouldn't be self-XSS or related to MiTM attacks
  • Shall not be publicly disclosed before the program ends
Out of scope

N/A

Rules of engagement

Our promise to you

  • We will respond to report in ultimately two weeks, probably faster!
  • We are happy to respond to any questions, please use the button in the right top corner for this.
  • We respect the safe harbour clause that you can find below

Your promise to us

  • Provide detailed but to-the point reproduction steps* Include a clear attack scenario. How will this affect us exactly?
  • Remember: quality over quantity!
  • Please do not discuss or post vulnerabilities without our consent (including PoC's on YouTube and Vimeo)
  • Please do not use automatic scanners -be creative and do it yourself! We cannot accept any submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's 😉)

Safe harbour for researchers

intigriti considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. intigriti will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, intigriti will take steps to make it known that your actions were conducted in compliance and with our approval.

Severity assessment

Please send your submission in as medium

FAQ

N/A

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
ID check required
Reputation points
Triage
Researchers
last contributors
logo
logo
leaderboard
logo
logo
Overall stats
submissions received
10
average payout
N/A
accepted submissions
2
total payouts
N/A
Last 90 day response times
avg. time first response
< 8 hours
avg. time to decide
< 8 hours
Activity
4/21
logo
created a submission
4/21
intigriti
changed the in scope
4/21
intigriti
changed the in scope
4/21
intigriti
changed the in scope
4/21
intigriti
published a program update
4/21
logo
created a submission
4/21
intigriti
accepted a submission
4/21
intigriti
accepted a submission
4/21
logo
created a submission
4/20
logo
created a submission