please explain

It’s a very rare and valuable thing called a “hint”…

Very big hint at that. Think undeundetectedtected

Just think about the code for a minute and apply the concepts of VPN, even though VPN’s have nothing to do with it just imagine what you do when you “encapsulate” a code instead of IP traffic. At least that’s how I understood it. COcodeDE. I really hope that helped.

I think I could also use a little bit of an explanation of the undetected hint. Among the various ways I tried that “worked” but didn’t count, I thought I was following that hint with this:

<SCR<script>IPT> <script>alert('HackThis!!');</script> </SCR</script>IPT>

Hi there.

@Kp00n7a I think this would fall under the classification of a spoiler :)
You are on the right track but reread the task: “execute exactly this code”
In this case “exactly” also applies to the case of the code. So see what parts get stripped away and what you are left with.

Sorry about that, I have hidden the spoiler. I thought it was filtering out <> and / but using a case-insensitive attack displays the prompt. So does that mean its filtering the string “script”? Ah hell, I’m not really sure what I’m looking for. I feel like a mosquito, looking for the sun but crashing into light bulbs instead.

Just keep trying and take it slow and steady. Patience really is a virtue with many of these.

If you think it is the string “script” then try to submit that and see how it is handled.
Trial and error will get you some way in understanding ho the sanitation works.

I think I see that it’s filtering >> < > and / … not “script” in the jquery script but I' not really grasping how to manipulate that script. I thought I’d manipulate the cookie utilizing tamper data but when I open it I don’t see the opportunity.

First of all, which cookie? Are you sure you fully see the difference between different types of parameters in a request and cookies? Or was it just a typo?

You do not need to do anything more than enter the correct kind of data into the form.

Does the script filter simply <> or does it take more than that to trigger it?

Try different inputs and see what gets stripped away and how.

Then think how you could have the input different so that the script would think it has done its job well

Yow, I can’t believe how much I was overthinking that. Or how close I actually was with the try in my first post. I got it through trial and error; I’ll admit I still don’t know exactly how the solution worked.

I’d rather not go into much more detail here, but check out the solutions section and there is likely some good explanation there. Or PM me.