# 0822: Business Card Generator

| Name                                                                     | Authors                                                                                          | Category                       |
| ------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------ | ------------------------------ |
| [Intigriti August Challenge (2022)](https://challenge-0822.intigriti.io) | [BrunoModificatio](https://twitter.com/BrunoModificatio) + [huli](https://twitter.com/aszx87410) | XSS, CSP, CSRF, DOM Clobbering |

## Video Walkthrough

[![The hardest XSS challenge yet?! Solution to August '22 XSS Challenge](https://img.youtube.com/vi/1PXkFUxzU-o/0.jpg)](https://www.youtube.com/watch?v=1PXkFUxzU-o)

## Challenge Description

> Find a way to execute arbitrary javascript on the iFramed page and win Intigriti swag.

## Useful Resources

* [XSS cheatsheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
* [CSRF](https://portswigger.net/web-security/csrf)
* [Fuzzing for XSS via nested parsers condition](https://swarm.ptsecurity.com/fuzzing-for-xss-via-nested-parsers-condition)
* [Angular CSP bypass](https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22#191-bytes)
* [UNI CTF 2021: A Complex Web Exploit Chain & a 0day to Bypass an Impossible CSP](https://www.hackthebox.com/blog/UNI-CTF-21-complex-web-exploit-chain-0day-bypass-impossible-CSP)

## Community Writeups

1. [brunomodificato (challenge creator)](https://github.com/BrunoHalltari/CTF-Writeups/tree/master/https:/challenge-0822.intigriti.io)
2. [huli (challenge creator)](https://blog.huli.tw/2022/08/29/en/intigriti-0822-xss-author-writeup)