X X X

The Ultimate (Self) XSS Challenge 😈

~ Can you pop an alert in this page?

Not your typical XSS challenge this time!

THE GAME IS SIMPLE - SUCCESSFULLY POP AN alert IN THIS PAGE - THAT'S YOUR ONLY JOB!

You are welcome (even expected) to use self XSS for the task!
- That's right! Open the console and run any code you want!
The call for alert API must be applied to the origin of this app!
The idea is to try to steal a fresh new alert function from an iframe/new tab/etc.

For example, try the following self XSSes (hit ▶️ and see result in console):
▶️ document.body.appendChild( document.createElement('iframe') ).contentWindow.alert.call( top, 'did it work?!' );
▶️ var i = document.createElement('iframe'); i.onload = () => i.contentWindow.alert.call( top, 'did it work?!' ); document.body.append(i);
Those ☝️ aren't going to work 😈 Good Luck! 🍀

Did you win? 🏆 Prove it! Open an issue
This challenge runs on Snow ❄️
⭐ it if you like it!

Hall of Fame

1. 2. 3.

Snow ❄️

Snow aspires to standardize how to recursively own newborn windows within a browser webpage, from the context of the webpage itself.
📖 Technical explanation
⚙️ Installation and usage
👩🏽‍💻 Source Code
💪🏻 Motivation behind this project

Demo 🧐

~ Can you bypass Snow?

This website uses Snow to disable alert API completely

Use the textarea to run JS code that successfully shows an alert message

Try to do anything in your power to successfully do so
Remember: Snow doesn't protect against cross origin realms, you must run your alert under this current origin!

Click the button to execute your code (⌘ + ↵ / ^ + ↵ will work too)

If you succeed - Congratz! You bypassed Snow (please, open an issue, we'd love to improve its security)

Funded by Consensys 💙
Maintained and developed by MetaMask 🦊
Invented and developed by Gal Weizman 👋🏻