好久不见! The Cure53 Chinese New Year XSS Challenge 2018 is here! 🐓 🐶

Welcome to another super-tough XSS challenge. And welcome to the rooster's very secure henhouse!

It is so secure, it can detect attacks of a very very wide range

As y'all know of course, the Chinese New Year is technically about to happen and the era of the rooster needs to make room for the year of the doge.

The rooster however is not yet ready to give up on the old year and decided to barricade himself inside the henhouse. He bought some fancy shmancy defense technology from the Israelis and will make absolutely certain that the doge cannot break and enter. The old year is over you think? Hell no, it's never gonna be over. Mister Rooster has Coop Security Protocol deployed. Holy sith!

The rooster will hold his CSP-protected fortress unless you can help the doge kick him out. Either you win, or the old year will go on FOREVER!

You can help the dog by finding the rooster's golden egg and stealing it

🐓🐓🐓 Behold, and enter the secure henhouse! 🐓🐓🐓

But, what are the rules? How can we help doge?

  1. You have to help the doge to get the rooster to let go of the old year
  2. To do so, you have to find the golden egg and steal it!
  3. The utilization of user interaction is not allowed. Not at all. No click, no mouse-over, no focus, no nothing.
  4. The utilization of external resources is not allowed. Not at all. No images, scripts, fonts, no nothing.
  5. The solution must work in an up-to-date browser like Chrome 64+, Firefox 58+, Safari 11+ and Edge 41+. No IE11, no browser older than the current stable release.
  6. The first valid submission will earn you a 500 EUR cash prize! Be quick!
  7. The shortest valid submission (at the exact moment the challenge ends) will earn you a 1000 EUR prize! Be smart!
  8. The challenge ends on 21st of March 2018, 12:00am Berlin Time, CET (that's high noon on Persian New Year)
  9. And lastly, as usual, we make the rules, we decide, we reserve the right to fail and re-decide if it helps the challenge. Yes means yes and no means no. There will be no discussions.

Now, what am I supposed to do to avoid being shred by the rooster?

  1. Steal the golden egg and exfiltrate it. This allows the doge to finally kick the rooster out. Watch out for maybe even more hidden tasks.
  2. This page is the starting point. It has vulnerbale parameters you can find. The solution looks like this https://henhouse.cure53.berlin/?..something-someting..
  3. In short, you can see the golden egg by just following two links, start above. But can you steal it from here, the henhouse?
  4. Watch out for hints here and there, think outside the box. There is several levels and things to steal before you get to the golden egg.
  5. You cannot solve this challenge by brute-force. Stop your scanner, save a tree. We might disqualify you if we feel like it.

How do I test my vector?

It's easy, you simply submit it here: Chinese New Year 2018 Solution Submitter

How do you count the length?

  1. We count what you submit (via email) by using the test tool linked above. In raw bytes. The full URL. Just send us the solution via email and we will test it using the "Chinese New Year 2018 Solution Submitter" as well.

Why would I do all that?

  1. Because it's fun!
  2. You'll learn crazy, maybe new and even useful things!
  3. You might win one of two cash prizes :) Or both at the same time! Or maybe even more?

Now go forth and crack the Challenge and save Chinese New Year :D And let us, @filedescriptor, @kinugawamasato or @0x6D6172696F know how you like it or if something is broken!

Solved it? Mail us! You'll find out how :)

Winners so far

  1. @BenHayak, being the second to solve, using 429 bytes
  2. @SecurityMB, being the first to solve, using 442 bytes