Ho, ho, ho! The Cure53 XSSMas Challenge 2016 is here!

Welcome to the toughest XSSMas challenge to date. And welcome to the erm.. jailbreak community!

While our community already isn't low on folks breaking jails of varying relevance, this time we actually have a serious request for you! Help Santa!

This time, Santa really needs your help. He completely overdid it with eggnog and reindeer-dust and well, they arrested him and locked him up real good. What does that mean? No gifts this year, that's what it means. But you can help!

Santa got locked up in a cyber-prison close to the south pole and only your skills can bust him out and save XSSMas. Are you willing to do it? Are you ready to go all-in for Santa? Let's sure do hope so! Santa made a lot of ka-ching by selling reindeer-dust - he will reward you generously!

This is the front door to the prison, visitor area. It is of course well-protected.

Solvers as of 15th of January 2017

  1. @BenHayak & @SecurityMB with a breath-taking 502 bytes in total. (shortest)
  2. @cgvwzq with a fresh approach yielding 554 bytes in total.
  3. @SecurityMB with a very innovative 579 bytes.
  4. @AvlidienBrunn & @ZetaTwo with 630 bytes in total.
  5. @BenHayak with a threatening 666 bytes
  6. @TheBoredEng & @BBuerhaus & @Smiegles with a competitive 822 bytes in total
  7. @MaxPlancks with an elegant 1496 bytes in total (first solver)
  8. You?

But Santa, oh Santa, what are the rules?

  1. The key to free Santa resides on juicyfile.cure53.de. You need to retrieve it from your safe-zone on xssmas2016.cure53.de and alert it to free him from prison! Don't use any other origin than xssmas2016.cure53.de - it's not safe out there!
  2. The utilization of user interaction is not allowed. Not at all. No click, no mouse-over, no focus, no nothing.
  3. The solution must work in an up-to-date browser like Chrome 55+, Firefox 50+, Safari 10+ and Edge 14+. No IE11, no browser older than the current stable release.
  4. The first valid submission will earn you a 500 EUR cash prize! Be quick!
  5. The shortest valid submission (at the moment the challenge ends) will earn you a 1000 EUR cash prize! Be smart!
  6. The challenge ends on 31st of January 2017, 20:17 CET (that's 8:17pm)
  7. And lastly, as usual, we make the rules, we decide, we reserve the right to fail and re-decide if it helps the challenge. Yes means yes and no means no. There will be no discussions.

Now, what am I supposed to do to avoid becoming reindeer fodder?

  1. Fetch the key and alert it. This frees Santa. Watch out for maybe even more hidden tasks.
  2. Watch out for hints here and there, think outside the box.
  3. You cannot solve this challenge by brute-force. Stop your scanner, save a tree.
  4. Don't try to social-engineer us like folks tried last year. We will be extra careful now, John!
  5. Revisit the most interesting techniques published in 2016 and see if they apply here.
  6. Visit this page then and when and see if there is new hints.

How do I test my vector?

It's easy, you simply submit it here: XSSMas 2016 Solution Submitter

How do you count the length?

  1. We count what you submit usign the tool linked above. In raw bytes. Just send us the solution and we will test it using the "XSSMas 2016 Solution Submitter" as well.

Why would I do all that?

  1. Because it's fun!
  2. You'll learn crazy things!
  3. You might win one of two cash prizes :) Or both at the same time! Or maybe even more?

Now go forth and crack the XSSMas Challenge and free Santa :D And let us, @filedescriptor, @kinugawamasato or @0x6D6172696F know how you like it or if something is broken!

Solved it? Mail us! You'll find out how :)