Ho, ho, ho! The Cure53 XSSMas Challenge is here!

Giddy up that reindeer and off we go for a wild ride into the world of crazy browser features.

We're in the year 2019 and things got even crazier than they ever were before. Thanks for being reliable on that, vendors!

Welcome to the annual Cure53 XSSMas Challenge: Like every year, we present the likely to be finest and fiercest of all XSS challenges. There is one final goal - but many ways to reach it. An overall of four steps have to be completed. At least. Or is there a way to directly alert the final secret and win? Who knows...

The challenge is over! Write-Up soon!

You win the challenge if you make it through to the file index3.php without a 404, alert its location with the necessary token attached and send us a link to reproduce exactly that. Note, that we don't allow any user interaction this year. If we click your link and nothing happens, you probably didn't win.

This is Santa's Mailbox. It really is! You can place a letter to Santa by using the GET parameter "xss". Strange coincidence, right?

But Santa, oh Santa, what are the rules?

  1. Your task is to find the final present in Santa's bag of tricks
  2. You cannot rely on user interaction. Ever. Not even mild one.
  3. The solution has to come as a URL. Via JSFiddle or whatever you think is right
  4. The sender of the first valid solution will win 1000 EUR
  5. The shortest solution (counted in bytes, Ben! :P) before the challenge ends will win a 750 EUR Bonus
  6. We will update the score-board regularly. The challenge ends on 31st of January 2016 12:00 at noon, CET
  7. Being the first and the shortest at the same time is possible, Masato :D
  8. Present to us a solution that will alert Santa's final present. The token to XSSMas Kingdom!
  9. No trash-browsers, solution MUST work in latest version of either FF, Chrome, Opera or Edge. No MSIE!

Now, what am I supposed to do to avoid becoming reindeer fodder?

  1. Exploit the XSS on this page without user interaction
  2. Leak the token from token.php
  3. index.php can be solved by injecting two attributes.
  4. It's stripping that bypasses the XSS filter
  5. ██████████████████████████████████████████████████████████████████
  6. Wrap it all up in one URL, shorten, send us the URL, win!

Why would I do all that!

  1. Because it's fun!
  2. You'll learn crazy things!
  3. You might win one of two cash prizes :) Or both at the same time!

Now go forth and crack the XSSMas Challenge :D And let us, @filedescriptor and @0x6D6172696F know how you like it or if something is broken!

Solved it? Mail us! You'll find out how :)


  1. Masato Kinugawa, confirmed solved on 25th of December, 154 bytes (first)
  2. Pepe Vila, confirmed solved on 25th of January, 135 bytes (shortest)
  3. Gábor Molnár, confirmed solved on 24th of January, 136 bytes
  4. phiber, confirmed solved on 28th of January, 141 bytes
  5. Ben Hayak, confirmed solved on 25th of January, 142 bytes
  6. Oren Hafif, confirmed solved on 7th of January, 150 bytes
  7. Jontransition & Co., confirmed solved on 25th of January, 199 bytes
  8. You?

Special Awards

  1. Pepe Vila, for a very creative yet invalid 134 bytes (250 EUR)
  2. Oren Hafif, for a very creative yet invalid 144 bytes (250 EUR)