# Intigriti 0522 XSS solution The challenge page contained iframe so I went directly to that page. I was welcomed with such view:  Firstly i went through the website and clicked navigation elements for Home, Products and Contact. Nothing interesting was there so I've opened chrome dev tools to check sources tab and see what scripts are being loaded. First thing that brought my attention was IIFE (Immediately Invoked Function Expression) on line 17: ``` * @author Blair Mitchelmore * @version 2.2.3 * **/ new function(settings) { // Various Settings var $separator = settings.separator || '&'; ... ``` I've went through that function to see what it does and started to think that it must be altered in some way to solve the challenge. I had no clues how to do that so I've continued exploring the website. The next interesting part was here:  I was interested what would happen if I change the page parameter. I was thinking about prototype pollution (well, the webpage was all saying about some kinds of pollution) so I've tried `page=__proto__` and got this:  Well, that was interesting. Passing `toString` also worked so I could set page parameter to anything from pages object and its prototype values (and see some output in the html):  For some time I though about passing some property that contained html value but I had no way to traverse the prototype since `$.query.get('page')` was always returning string and I didn't know if there is a property in Object's prototype that contains any browser's value controllable by user (probably not). I didn't know what to do so I went to next step which was thinking about filterXSS function and bypassing the sanitization. I thought that js-xss with version 0.3.3 seemed to be very old version (maybe there are existing vulnerabilities in that?). Thinking about versioning lead me back to that IIFE which was saying something about `@version 2.2.3`. I've googled "Query String Modification and Creation for jQuery" and somehow I've landed on this github https://github.com/alrusdi/jquery-plugin-query-object. A bit more searching brough me directly to this POC: https://github.com/BlackFan/client-side-prototype-pollution/blob/master/pp/jquery-query-object.md. The POC was using `?__proto__[test]=test` so I've added that parameter and saw that pages prototype contained my "test" value:  I've used such payload for testing but it wasn't executing:  At this moment I've decided to go back to js-xss function. I had to bypass the sanitization. Having done reasearch on github I've decided to go to js-xss issues and filter for bugs: https://github.com/leizongmin/js-xss/issues?q=is%3Aissue+is%3Aclosed+label%3Abug. One issue looked interesting: https://github.com/leizongmin/js-xss/issues/120. I've checked the commit that fixed this:  I've checked that challenge website had that vulnerable code so I've tried: [https://challenge-0522.intigriti.io/challenge/challenge.html?page=a&__proto__%5Ba%5D=%3Cscript%3Ealert()%3C/script%3E&__proto__%5Bscript%5D=true](https://challenge-0522.intigriti.io/challenge/challenge.html?page=a&__proto__%5Ba%5D=%3Cscript%3Ealert()%3C/script%3E&__proto__%5Bscript%5D=true) The whitelist was now having my `script` tag but it wasn't executing the script because scripts inserted with innerHtml are not executed :smile:. I was stuck at this step for a while... I though about making script executable somehow but it seemed not possible. I've tried using prototype pollution to modify filterXSS function interiors but after polluting some of it's settings to falsy string (e.g. "0") or truthy values it mostly failed to run. I was overthinking a lot at this moment. This even brought me to porstwigger's xss cheatsheet for xss with prototype pollution: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#prototype-pollution Eventually I though - "*what if I use arrays in parameters like in other languages like php?*" so I've tried this payload: `page=1&__proto__[script][]=b` and it resulted in my value being passed as array:  I knew that this was the end so I've immediatelly used such payload: `https://challenge-0522.intigriti.io/challenge/challenge.html?page=a&__proto__[a]=<style onload%3dalert(document.domain)>&__proto__[style][]=onload`. The solution needed to work on Chrome and Firefox and based on previous XSS challenges I knew that this is the desired way and the challenge was solved.