# About Exercism Exercism is an online platform that helps people upskill their programming skills through practice and mentoring. They are an open-source organization with over 200 GitHub repositories, thousands of contributors, and a friendly, inclusive community.
I came to know about the platform in 2018 when my mentor - Vipin Pavithran asked me to improve my coding skills by practicing on Exercism.
Exercism is an amazing platform to learn to code.
Tag: XSS
tl;dr
- Create a note with meta redirect tag to get callback.
- Leak the flag using search functionality.
tl;dr
- XSS using DOM Clobbering
<a id="showInfos"></a><a id="SETTINGS" name=check data-timezone="aaa" data-location="eval(window.name)"><a id="SETTINGS" name="x">- Bypass CSRF protection to execute XSS and read flag.
tl;dr
- Leak admin’s hash using wildcard target origin in postMessage or by calculating
sha256(''). - Create an XSS payload to read
/api/flagand send it to attacker server.
First of all, a big shoutout to the challenge author. All the challenges in this set are available here.
## Analysis Going through the challenge source, we can see that two JavaScript files are imported.
1 2 <script src="https://raw.githack.com/stretchr/arg.js/master/dist/arg-1.4.js"></script> <script src="js/main.js"></script> arg-1.4.js is a popular library for parsing URL parameters. And main.js has the following content.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 let data = { small: "Hi, there!