XSS 05
This exercise is one of our challenges on Cross-Site Scripting
In this lab, the goal is to create a payload that triggers an alert box with your unique identifier (UUID). The challenge involves bypassing a filter that stops the execution of PHP code when the word "alert" is found. To achieve this, you can use JavaScript's eval
and String.fromCharCode()
functions. String.fromCharCode()
decodes integers (decimal values) into their corresponding characters, allowing you to encode the word "alert" without directly using it.
You'll first identify the injection point and attempt to inject a script tag with "alert" to see how it gets blocked. By leveraging String.fromCharCode()
, you can encode the string alert(1)
and then use eval
to evaluate this string, triggering the alert box. After successfully triggering an alert with alert(1)
, you'll then move on to triggering an alert with your UUID to complete the challenge.