"Sandbox-iframe XSS challenge solution" by joaxcar


"This is a writeup describing the solution to a small XSS challenge I posted on Twitter in May 2024" by Johan Carlsson. The challange page https://sandbox-iframe-ctf.glitch.me allows for arbitrary HTML in the search parameter xss as a Base64 encoded string. The HTML will be put inside a sandboxed iframe on the same page. The page will also add a flag to the hash portion of the URL upon visiting the site. The mission was to leak this flag in the hash and show the value in an alert box.