XSS 05

This exercise is one of our challenges on Cross-Site Scripting

PRO
Tier
Medium
< 1 Hr.
8958

In this lab, the goal is to create a payload that triggers an alert box with your unique identifier (UUID). The challenge involves bypassing a filter that stops the execution of PHP code when the word "alert" is found. To achieve this, you can use JavaScript's eval and String.fromCharCode() functions. String.fromCharCode() decodes integers (decimal values) into their corresponding characters, allowing you to encode the word "alert" without directly using it.

You'll first identify the injection point and attempt to inject a script tag with "alert" to see how it gets blocked. By leveraging String.fromCharCode(), you can encode the string alert(1) and then use eval to evaluate this string, triggering the alert box. After successfully triggering an alert with alert(1), you'll then move on to triggering an alert with your UUID to complete the challenge.

Want to learn more? Get started with PentesterLab Pro! GOPRO