Category: XSS Challenges by yamagata21

Solution: XSS Challenges (by yamagata21) – Stage #15

In this lab, the string we entered will be displayed by document.write(). Then, we use:

<img src=1 onerror=alert(document.domain)>

We find out that the angle brackets (<>) had been escaped. Then we need to change them into (\x3c, \x3e), but the backslash (\) had been removed.

Therefore, we add one more backslash. The payload become:

\\x3cimg src=1 onerror=alert(document.domain)\\x3e

Solution: XSS Challenges (by yamagata21) – Stage #12

In this lab, many character are removed (x00 x20 < > " ').

In IE, back quotes (`) will be parsed into quotes, so we can use that instead and combine with an event.

``onclick=alert(document.domain)

Then, we click the text box to trigger the event.

Solution: XSS Challenges (by yamagata21) – Stage #11

In this lab, “script”, “style” and all events with “on…” will be replaced, so we will create a link like we did in stage 8 and use a horizontal tab (&#x09) to separate “s” and “cript“.

"><a href="javas	cript:alert(document.domain)">

Then, we click the link.

Solution: XSS Challenges (by yamagata21) – Stage #10

In this lab, we guest that maybe “domain” will be removed, so we just need to add one more ‘domain’ in the string and ‘domain’ becomes ‘ddomainomain’.

Then, we search for:

"><script>alert(document.ddomainomain)</script>

Solution: XSS Challenges (by yamagata21) – Stage #9

This lab needs a browser which has support for utf-7.

To cheat/skip this stage, open Firefox’s Web Console and execute alert(document.domain);. This will show the alert which will trigger the congratulations message.

Design a site like this with WordPress.com
Get started