XSS challenge #4

Rules:

• This challenge is meant to raise awareness that prototype pollution vulnerability can lead to bypass of popular HTML sanitizers.
• There are two input fields:
  • The first one should contain a JSON object. All keys from the JSON object will be copied to Object.prototype. That is, if you provide the following JSON: `{"x":123}`, then Object.prototype.x is equal to 123. This is meant to simulate a prototype pollution vulnerability.
  • The second field should contain an HTML markup that will be sanitized by HTML sanitizers.
• The sanitizers used are:
  • no sanitizer - just for testing purposes
  • DOMPurify
  • Closure
  • sanitize-html
  • js-xss
• The goal is to bypass all sanitizers and execute alert().
• A proof that code was executed is a ✅ mark in all sanitizers.
• The solution must work on current version of at least one major browser (Chrome, Edge, Safari, Firefox).
• If you find a solution, please DM me at Twitter: @SecurityMB. Challenge is over! Check here for solution: https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/

Leaderboard

1. @terjanq: URL length: 238
2. @avr4mit: URL length: 252
3. @CmdEngineer_: URL length: 254
4. @l4wio: URL length: 285
5. @bananabr: URL length: 288
6. @53c0nd_2473: URL length: 318
7. @abcdsh_: URL length: 320
8. @0xParrot: URL length: 341
9. @zsxsoft: URL length: 356
10. @po6ix: URL length: 361
11. @S1r1u5_: URL length: 376
12. @kos_michal: URL length: 401

JSON object:

HTML code:

Status:

URL length: