Rules:
1. Execute alert(document.domain) in this origin. (document.domain must be "ryotak-challenges.github.io".)
2. The solution must work on Google Chrome 117.0.5938.150 or later (The intended solution is tested on Google Chrome 117.0.5938.150)
3. Any user interactions are allowed except:
- actions that allow JavaScript execution by design (e.g., DevTools, Bookmarklets)
- actions outside of the browser (e.g., modifying the browser, MITM)
4. The solution must be reproduced manually.
5. There is no server-side code for this domain. This is an entirely static website; the backend (GitHub Pages) isn't involved in this challenge.
6. Found the solution? Please let me know via DM on Twitter (X). (If you cannot send a DM, please @ me!)
Update (2023/10/08 13:15 UTC): Due to the unintended increase of the difficulty, the challenge page is moved to GitHub Pages from Cloudflare Pages. For the transparency, the reason of this change is to drop the HTTP/3 support.
Update (2023/10/08 13:30 UTC): I've moved the location of AngularJS to drop the HTTP/3 support. The contents of the script is not changed.
Update (2023/10/29 03:00 UTC): The challenge is now over! Write-up is published on https://blog.ryotak.net/post/dom-based-race-condition/
Notes:
1. The intended solution assumes the victim to have the following:
- Have a fast/reliable internet connection
- Have a clean cache state
- Can't press key more than two times in one second
- Can't move mouses quickly