Challenge is over!
Check out the write up!
Playground for S3! (Super Safe Sanitizer)
If you found a bug in the S3, contact us with this file on HackerOne!
Why is S3 guaranteed secure?
- Only supports HTML! No SVG, MathML, or other XML maddness :)
- Throws as soon as it finds unsupported tags/attributes :)
- Only supports a DocumentFragment output! No mutations, great for security & performance!
Contact Sales
Rules
- Execute alert(origin) on this origin. 1 click is allowed.
- XSSes has to work on Chrome stable version.
- You are only allowed to use vulnerability in this page or in the resources loaded in this page.
- DM me if you found 3+ XSS bugs (there are 4 bugs (i.e. XSS sinks) in this page).
Winners for finding 4 bugs
- alex
- Masato Kinugawa
- Michał Bentkowski
- You?
Winners for finding 3 bugs
- Luan Herrera
- Michał Bentkowski
- Jiantao Li
- alex
- Masato Kinugawa
- TheGrandPew
- kunte_
- You?
Honorable mention for bypassing the sanitizer in unintended ways
- Michał Bentkowski
- TheGrandPew
- alex
- You?