XSS 05

This exercise is one of our challenges on Cross-Site Scripting

< 1 Hr.


In this lab, the goal is to create a payload that triggers an alert box with your unique identifier (UUID). The challenge involves bypassing a filter that stops the execution of PHP code when the word "alert" is found. To achieve this, you can use JavaScript's `eval` and `String.fromCharCode()` functions. `String.fromCharCode()` decodes integers (decimal values) into their corresponding characters, allowing you to encode the word "alert" without directly using it.

You'll first identify the injection point and attempt to inject a script tag with "alert" to see how it gets blocked. By leveraging `String.fromCharCode()`, you can encode the string `alert(1)` and then use `eval` to evaluate this string, triggering the alert box. After successfully triggering an alert with `alert(1)`, you'll then move on to triggering an alert with your UUID to complete the challenge.

Want to learn more? Get started with PentesterLab Pro! GO PRO