Posts

Showing posts from August, 2020

BugPoc's XSS challenge, Buggy Calculator writeup

Image
This is a write-up for an XSS Challenge by `BugPoC`, Buggy Calculator (calc.buggywebsite.com) that popped out on Twitter recently (link)

This is a website of calculator app designed by angular js.
Eval js by using gadget inside the script (which is the functionality of the caculator) is the best part in this challenge.

Buggy Calculator A Website running at http://calc.buggywebsite.com/. It's a complete client side application. Our goal is to popup alert(domain).
Functionality is simple like a calculator, on button clicks it is constructing the equation(string), and finally eval that equation on calculate.

Observation - 1 By reading the source code
The app is using iframe(frame.html) to display the result by using `postMessage` communication.
<iframe name="theiframe" style="height:65px;width:100%; left:-100px; margin-top:-05px;margin-bottom:-30px;" frameBorder="0" src="frame.html"…