## Summary: http://calc.buggywebsite.com/ is a angular site designed as a calculator. After observing the source code , there is iframe (frame.html) with functionality of displaying the data of postmessage in the webpage. ```js window.addEventListener("message", receiveMessage, false); function receiveMessage(event) { // verify sender is trusted if (!/^http:\/\/calc.buggywebsite.com/.test(event.origin)) { return } // display message msg = event.data; if (msg == 'off') { document.body.style.color = '#95A799'; } else if (msg == 'on') { document.body.style.color = 'black'; } else if (!msg.includes("'") && !msg.includes("&")) { document.body.innerHTML=msg; } } ``` Directly injecting the postMessage data into the HTML. we can achieve HTML injection if we can bypass the origin check. ```js if (!/^http:\/\/calc.buggywebsite.com/.test(event.origin)) { ``` it's checking the origin is started with the `http://calc.buggywebsite.com`, that's the first bug here origin it's doesn't make sure that the exact origin by checking ending with '/'. So we can continue the origin like `http://calc.buggywebsite.com.evil.com`. Now we achieved HTML injection on `calc.buggywebsite.com`. ```html ``` But here comes the main issue. We can inject a script tag , but we cant force it to execute because the HTML is injected through `innerHTML`. There is way `

` or ` ``` we need those scripts for the gadget, and CSP allows self scripts so no problem As the script try to access the iframe object (theiframe), it's rises as error, to avoid it ``. We have to inject that HTML into `calc.buggywebsite.com` through postMessage. But the payload contains script tags , script does loads through innerHTML injection, but we can use iframe srcdoc as the scripts are self , even CSP does n't bothers. ```html ``` Here comes the final issue. On frame.html before injecting into the HTML there is a last check in frame.js. ```js } else if (!msg.includes("'") && !msg.includes("&")) { document.body.innerHTML=msg; } ``` The payload must not contains '&' and ' , but our payload has &. After trying many things, tried to bypass the check. msg is nothing but postmessage data. The postMessage data might be anything a string or a list or a object. As if the msg is string it checks char by char, so if it a list then it check index by index. So tried innerHTML = ["

HTML injection

"], It worked. so we can bypass the check by using list [""]. Final payload is (page must be on calc.buggywebsite.com.) ``` ``` ## Steps To Reproduce: (Proof on Concept) 1. Open https://bugpoc.com/poc#bp-u7KS3iYK 2. Use the password `USuAlSeaL04` 3. Run the POC , there u see's the pop up of alert(domain) ## Note : Started working on the challenge after seeing the mail, tweet (https://twitter.com/bugpoc_official/status/1291767806216765443) , but lately : (. I know this is too late , most of the people might solved it already. But choose to write an writeup as i have liked this challenge, as i have learned many things in order of solving this. This is my first experience with the angular js : ). Thanks for nice challenge , expecting more challenges like this . ## Impact Solved the challenge and achieved XSS on calc.buggywebsite.com

BugPoC: Solution for XSS challenge calc.buggywebsite.com