100% stumped

Did you try to take a look at the source code after injecting your script ? :p

D'oh! No, I didn’t. This is what I get if I check the source code of the page with the message, though:

<p>&lt;script&gt;alert(document.cookie);&lt;/script&gt;</p>

Which is basically just… what I sent. (I also sent a message with <scr

You are overlooking something.

You might want to remove part of that last message as it is a spoiler for something else.

+1 dloser but he didn’t said what it was about so Idk :p

Also Voidstar, try others injections

Here are two websites to help you

Link 1

Link 2

First of all, thanks to everyone who helped. Following the combined suggestions in these replies (@tl0tr’s links in particular) I’ve studied XSS some more. Trying to not spoil too much, this is where I am now:

• I am using an image to inject code. I have verified that the image tag is not blocked by the system, so this is exploitable.
• I have hosted the cookie alert somewhere else and am using a URL shortener to make it as short as can be.
• Even with these techniques, the message is still just 4-5 characters too long and I can’t make the injection work :(

What can I do now?

The website name can be as long as you want, the first part of the challenge is to figure out how to bypass the limit length!

^ And I have no clue where to start there. I’ve googled countless times but none of the solutions proposed work (because they all require me to refer something, and since I can’t upload files to HT! I need to upload them elsewhere and shortlink them, which still makes them too long).

Could somebody at least give me pointers? Even just recommended readings? I don’t want the solution, I just want to know where to go!

I think you already know the answer to bypass the character limit. You have mentioned that in your initial post. The only thing now you need to find is >> “How many character you can use” and then how you can implement that and inject the code so you can get the “Cookie”. Also whenever you inject anything always check the source code using Inspect element or firebug. Good Luck.

A few more post and I think we have a complete solution in this thread…

Try to be more creative.

Lol @dloser :)

Maybe we don’t need more posts, but who knows…. :p

@tl0tr, yeah I know the method, and I know what the limit is. The problem is that my shortlink alone is… 4 chars shorter than the maximum. Which makes it impossible for me to use what I have to use (thinking < > because clearly, the URL is not enough). I don’t know what else I can do. My research shows that the shortest possible injection is 27 chars including the <>s. That’s exactly as long as my injection is…

And @dloser, your comment doesn’t help at all. I wouldn’t be here if I knew what to do, and I think having 40 (now 41) forum posts in total while having solved 60%+ of the challenges shows that I can “be creative” sometimes, except that other times I need a push. If you’re going to be vague and criticise without giving any help, please refrain from posting here.

Voidstar,

What’s your main problem ? The char limit.
What about trying to break it ? ;)

My comment might not have helped you, @Voidstar**, but I don’t think that’s a reason to respond like that.

The way I look at challenges, the fun is in figuring out yourself how to do it, hopefully learning something new on the way. Needing a push every now and then isn’t a problem, but I don’t think one should expect to always get that push (in the way you want). Besides, you can also get it from just doing other stuff for a while; there is no reason why you’d need to solve all the challenges in one go.

[quote=“dloser”]
Besides, you can also get it from just doing other stuff for a while
[/quote]
Agree with that !

If we didn’t come here looking for help, then the forum would be useless. Your kind of comment is not what I was asking for and I found it really rude - to a point where my response (which is usually much more patient than that) was warranted. So I’ll be closing this thread because (a) I don’t like flaming and (b) it’s clear that I’m not going to get anything from this.
And this makes me really angry and sad. :/