Brad Fitzpatrick (bradfitz) wrote in lj_dev,
Brad Fitzpatrick

the XSS security challenge

Anybody bored and want a permanent account? Read on:

We're going to be running an XSS (Cross site scripting / Javascript injection) bug hunt challenge soon here. The biz people like the idea but need to squabble over rules and legal stuff. Unofficially, it'll involve giving out permanent accounts and money (or gift certificates).

So while I can't promise you jack right now in terms of money, I can give out permanent accounts like candy, so I'll announce the first round of the game:

STEP 1: Go to . Make an account. Probably need to change it to paid so you can make styles/etc.

STEP 2: Inject some JavaScript. Use S1, S2, CSS, overrides, you name it. It'd probably help if you read the HTML and CSS cleaner code in cvs to look for bugs, but it's not required. If you want, the code is at:


CVS viewers are at and .

STEP 3: Email me ( with subject containing at least "XSS-LJ", and a URL to a minimal test case illustrating your hole. I need to know how you did it, source code, maybe your test account's password, whatever it takes. The more clear it is, the more likely you win and I don't accept somebody else's later but more clear bug report first. After you find a hole, go create a new account for your next hole.

Brad's unofficial rules: I am judge, jury, and sole candy giver, at least until there are official rules. If I give you a permanent account, that doesn't mean you're not eligible for money/gift certificates later. We'll retroactively give that out for the best/hardest-to-fix/most-clever holes after the fact.

NOTE: The code running on the above URLs isn't live on the site yet. We don't care about holes at, because they're likely already fixed in the test code. The test code will go live on the site soon-ish. So reproduce (or produce) your bug reports on the test machine.

NOTE 2: The test machine above is a small virtual machine. I might not have given it enough memory. If it sucks, I'll increase it. Bear with me.

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

← Ctrl ← Alt
Ctrl → Alt →
← Ctrl ← Alt
Ctrl → Alt →