XSPwn Solution

  1. Hit the maximum number of nodes, to trigger a node deletion.
  2. When the first node is deleted, the memory taken by that node is freed with free(curr)but the HEAD is not updated.
  3. Insert another node, overwriting HEAD->name in the next malloc() and strcpy()
  4. By overwriting with the correct memory address, we can point to a previous name that failed the XSS check.

The solution works once in every 10 tries on average. The exploit will automatically retry until it works.

Full Solution | Home