I don't know what to do...

[deleted user]
9 years ago

0

Hi everyone. I have search in google for XSS codes and methods and i have try a lot of posible solutions, usualy when i submit a code show me a black box on the bottom and some other times it show me the box with the message but the level still incompleted. I think that the filter when i submit the <script> or </script> word then in the result remove it. Is that true? Else i wanted to know if i need to try for disable filter or to put a code that have the same result with this <script>alert('HackThis!!');</script> but isn’t the same code. Finaly for complete the level i need to have as result the message “HackThis” ? Please I have try a lot of codes that i don’t know what to do. Please give me a hint.

12replies
4voices
269views
Mr. Cyph3r [MrCyph3r]
9 years ago

0

Yes, it is exactly what it is happening, there is a filter that is trying to prevent XSS injections… your objective for this challenge is to bypass this filter in order to make the page alert.

And again yes, you need to use exactly the same injection shown by the level description:

<script>alert('HackThis!!');</script>

My suggestion is to try an injection and then look at the source of the page to see how it gets filtered… and then find a workaround.

kasparavi
9 years ago

0

i am not understanding this one will you please help me

[deleted user]
9 years ago

0

Thanks [quote=MrCyph3r]Yes, it is exactly what it is happening, there is a filter that is trying to prevent XSS injections… your objective for this challenge is to bypass this filter in order to make the page alert.

And again yes, you need to use exactly the same injection shown by the level description:

<script>alert('HackThis!!');</script>

My suggestion is to try an injection and then look at the source of the page to see how it gets filtered… and then find a workaround. [/quote]
Ok so I try this code <body onload=alert('HackThis!!')> and i get the message “HackThis!!” but again i show the empty black box. So i take a look in the page source and the only difference that i can see is that my code <body onload=alert('HackThis!!')> is with red color without missing anything. Next i try the code that is in the level desciption <script>alert('HackThis!!');</script> and as usualy in the black box i see this >alert(‘HackThis!!’); , that means that the page filter only <script> and </script> as i write in my first question. So maybe needs to disable the filter by some way and next to execute exactly this code, or to add or remove something in the code? <script>alert('HackThis!!');</script>

Mr. Cyph3r [MrCyph3r]
9 years ago

0

<body onload=alert('HackThis!!')>

This is not what you need to do, the challenge states:

“Bypass the filter and execute exactly this code”

So you need to find a way to circumvent the filtering and enter the alert exactly as requested by the challenge:

<script>alert('HackThis!!');</script>

Of course it will be filtered out… as I said, the objective of the challenge is to bypass the filtering function.

[deleted user]
9 years ago | edited 9 years ago

0

I just try this code &lt;script&gt;alert('HackThis!!');&lt;/script&gt; and i get as result in the bottom of the page > which is exactly the code of the description <script>alert('HackThis!!');</script> but i do not get any message. So i am on the right way? Or needs to find some tags that can replace the tags ?<script> and </script>

Richard Brook [RichardBrook]
9 years ago | edited 9 years ago

0

Have you not read undeundetectedtected anywhere?

And @dloser said many many many times!

[quote=dloser]As said many times before: the goal is not to display the code but to execute it.[/quote]

[deleted user]
9 years ago

0

I have read about undeundetectedtected almost in every thread but i still do not uderstand exactly the meaning of this. Anyway i wanted to know if needs to find a tag that can replace the <script> code and by this way to confuse the filter and execute the code thats is on the description.


0

That hint is not random, if you don’t know what is the meaning of it, it would be better to see what the filter does and then look at the hint!

[deleted user]
9 years ago

0

I think that the filter simple remove <script> and </script> and by this way the code is unable to execiute.


0

Now find a way to apply the hint with what you just said!

Mr. Cyph3r [MrCyph3r]
9 years ago

0

You are close @GsRoy … just think about what it removes and how you can fool the filter.

[deleted user]
9 years ago

0

Finaly i did it!!! Thanks a lot !! :D

Discussion thread has been locked. You can no longer add new posts. Unlock
1 of 13

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss