XSS 04
Bookmarked!This exercise is one of our challenges on Cross-Site Scripting
In this challenge, the developer has implemented a filter that completely blocks the word "script" in any case. If the request contains "script," the PHP code execution is halted. Your task is to find alternative methods to execute JavaScript and create an alert box with your unique identifier (UUID). You will explore several HTML tags and events such as onmouseover
, onclick
, and onerror
to bypass the filter and successfully execute your payload.
To complete the challenge, you need to first identify the injection point and understand how the filtering mechanism works by testing with the "script" tag. Once you grasp the filter’s behavior, you can use other tags and events to run JavaScript. For instance, you can use the This exercise helps you understand the importance of thorough security testing and showcases the various ways JavaScript can be triggered even when typical scripts are blocked. It emphasizes the creative thinking required to bypass security filters and complete penetration testing tasks effectively.onmouseover
event in an or
onerror
event in an tag to trigger the alert box. Your goal is to craft a payload that works without requiring user interaction like mouse movements or clicks, ensuring the alert box pops up when the victim visits the page.