Hi Sergey!

I was trying to trigger an XSS on https://ctf.nikitastupin.com/pp/known.html?__proto__[hif][]=javascript:alert(document.domain) by following https://github.com/BlackFan/client-side-prototype-pollution/blob/master/gadgets/twitter-uwt.md. I got the following error on Chrome:

Refused to execute script from 'https://analytics.twitter.com/i/adsct?type=javascript&version=1.1.0&p_id=Twitter&p_user_id=0&txn_id=twitter_pixel_id&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fctf.nikitastupin.com%2Fpp%2Fknown.html%3F__proto__%5Bhif%5D%5B%5D%3Djavascript%3Aalert(document.domain)' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.

Could you advise if you see a workaround here?

Thanks and cheers!

Hi this payload works for me in all tested browsers.
Check the HTTP response /i/adsct which returns an error, there should be twttr.conversion.loadPixels({}).

Sorry for "reopening" this, but it looks like this gadget no longer works in any browser: no XSS is triggered. Has it been fixed?

Yes, it looks like uwt.js was rewritten a few months ago and no longer contains the loadPixels function that was used in the gadget.

Thank you for confirming :)