In this write-up, we’ll see how I identified a remote code execution vulnerability and bypassed the Akamai WAF rule(s). While I was doing a security scan, I noticed an endpoint that incorporates user-controllable data into a string and reflects it back in the response. Noticing the reflection of the text, I tried some XSS payloads but was not able to execute JavaScript successfully as the response Content-Type was application/json. However, when entering a payload such as ${191*7} I was surprised to see that the arithmetic expression had been successfully evaluated within the response as

[SNIP]getApprovalGroupByContext.contextType: 1337[/SNIP]

Image for post
Image for post

Note: “RCE_” is not a part of the payload, it is only used to look up reflected text.


In this writeup, I am going to explain my approach towards solving the Wacky XSS Challenge. The challenge is primarily about bypassing Content Security Policy (CSP) and DOM Clobbering due to insecure coding practice.

Challenge Rules

  1. You must alert(origin) showing
  2. You must bypass CSP
  3. It must be reproducible using the latest version of Chrome
  4. You must provide a working proof-of-concept on

Here’s how the challenge page looks like:

Image for post
Image for post

Upon clicking Make Whacky! button, I noticed a GET request being made to /frame.html page along with a query parameter called param

Gaurav Mishra

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store