title: How I was able to rick roll every users on
date: Mar 27, 2022
tags: Article Web

How I was able to rick roll every users on


Few weeks ago, I decided to try to find a vulnerability on the platform that taught me a lot in cybersecurity: Root-Me. In that way, I started to search in the input box which is used for the following:


Moreover, this input box is also special, it allows you to use HTML and custom text descriptor to render your input.


After trying a lot of different HTML element, I learnt the following :


<img src=x onerror="alert()">
<a href="javascript:alert()">XSS</a>


<code class="echappe-js">&lt;script&gt;alert()&lt;/script&gt;</code>
    <code class="echappe-js">&lt;img src=x onerror="alert()"&gt;</code>
    <br class="autobr">


With both information, an idea came to my mind. What if it was possible to embed a js file that I can control? I would be able to bypass all the restriction!

<iframe src="">


Unfortunatly, the src attribute seems to be automatically removed. As a last try, I embed my own profile page.

<iframe src="">


This time, the result was different, I achieve embedding the domain, but csp seems to block us from rendering the page.


However, it is important to notice that it is possible to render every site that we want. Then, finding a way to bypass filter on the back, will allow us to easily have an XSS.

frame-src http://* https://*

My first iframe

Having no possibility to embed the domain due to the CSP, I started thinking that the filter was allowing me to embed only origin. But after some tries, I figured out that I was wrong because it is not possible to iframe XSS challenges 👀

At this point, I had a lot of interesting things:

With that information, I understand something really important for the future tries : domain must be used.

In order to verify my assumption, I embedded

<iframe src="">



Well, I've got my first iframe, it seems to be nothing because I can't get an XSS on the api domain and you're right, but what if I could do the opposite ?

<iframe src="">


Seeing that it worked, I immediately claimed domain and start a flask server. (with https to avoid mixed content error)

from flask import Flask

# Create the APP
app = Flask(__name__)

# Home page
@app.route("/", methods=["GET"])
def index():
    return "<script>alert(document.domain)</script>"

if __name__ == "__main__":"", port=443, ssl_context=("cert/server.crt", 'cert/server.key'))
<iframe src="">


Et voila ! 🎉

Further tests

Immediately after finding the XSS, I've contacted @podalirius who helped me to make some tests and report the vulnerability.



As you can see, the vulnerability was impacting the most pages of the website. For example, an attacker could have used it to rick roll each person going to the domain using:

<script> = ""


After further researches from root-me team, the problem has been fixed by the following code patch:


Sometimes, critical vulnerabilities can arise for a simple slash!

Thanks to Root Me for patching quickly the vulnerability and authorizing me to post this article!



Thanks for reading! 👋