Hack My Webpage!

Started by Heretic86, March 09, 2021, 05:24:07 am

Previous topic - Next topic


I am experimenting with a bunch of stuff I am brand new to, so I EXPECT there are gonna be issues...

Other sites I posted on, the messages I got back so far are a bunch of preachers "do not allow users to run their own scripts, ever".  Well, I am not gonna listen to them.  Hasnt been many replies tho, so still waiting for better responses.  Really they just sound very lazy.

Please dont do damage to my server, just the webpage...

What I want to do is to allow Users to UPLOAD THEIR OWN SCRIPTS to an IFRAME to allow them FULL CONTROL of a Canvas Object.  But, it needs to be done so SAFELY.  What I think makes this at least somewhat more secure is not just the code you can see, but a combination of headers and some CORS stuff as well, which you can also see, its just under the response headers.  Sandboxed in.

The GOAL here is for you to BREAK OUT OF THE IFRAME in Javascript and access the rest of the Page.  I set this up to be as easy to hack as possible.  I made it a FORM so you can post ANY JAVASCRIPT YOU WANT in the text field and execute it.  Why?  Because that is what I want ALL USERS to be able to do.  However, the scripts they create need to be completely confined within some sort of sandbox environment that does not put anyone who views their content at risk.  So try things like window.location, window.open, parent.caller, let img = new Image; img.src = 'someurl.jpg',


Please let me know if this works or does not work as I hope it will...

If you can get out of the iframe in javascript and somehow access "hack target" then I will have to dig deeper in how to do this, please let me know how you did and what I need to do to fix.  Basically in theory everything is blacklisted, then opened up some stuff that hopefully is fully contained within the web page.  I need to set up quite a few other things to make this work as I hope, and could use some assistance from people I know and trust...  Im having some issues getting Reporting to work, so need to focus on that if anyone gets a spot of time...

Thanks a ton guys!
Current Scripts:
Heretic's Moving Platforms

Current Demos:
Collection of Art and 100% Compatible Scripts

(Script Demos are all still available in the Collection link above.  I lost some individual demos due to a server crash.)