I recently found the site escape.alf.nu. It nerd sniped me really hard and I couldn't leave it before solving or at least knowing the solutions for all the challenges. Some answers really blew my mind. But I still can't solve 17, 18 and 21 and I can't find anything on the internet.
17 and 18 lead me to read a lot about SOP bypasses. Most bypasses (through frame names, address hashes, the more recent postMessage()) require js code on both side. It is known that you can load anything as javascript or css and maybe get some info out of it but it requires specific input formats (even javascript error messages are blocked in modern browsers). Even setting document.domain won't work even though the domains are similar as you cant set it on a token17.alf.nu (or 18) iframe.
It seems to me like a really blatant violation of the SOP that can only be bypassed by browser vulnerabilities (like the ones that were found on the android default browsers). But it is against the style of the other challenges to have one that requires a specific browser. In 18 he says "I expect this one won't work in all browsers", but it sounds as if he expects it will work in most (so likely not a vulnerability), and more importantly - as if this contradicts with the previous level that should apparently work in all browsers.
And then there is 21. 20 got more attention than the other late levels as Alf linked to it from his answer to this question as a proof that his short answer is "not quite enough". The answer people gave to that level is defining a function called "window" or "console" - the definition gets hoisted to the top of the scope, before the with statement, and so console.foo is never checked. However this only works because it runs inside a function scope. If we actually tried to bypass the blocking of the console (only theoretical now as there is no longer a known way of blocking it) we couldn't define a new window or console as we are running in the global scope and we can't redefine those names.
21 is based on Salman A's answer to the question. It seems like it's meant to show that the code facebook actually used was better than Alf's example, but really what matters is that this level runs your code with settimeout making sure it runs in the global scope and you can't override window or console. I'm starting to think this level has no solution... Anyone found anything?
