I don't know what to do...
9 years ago
0
Hi everyone. I have search in google for XSS codes and methods and i have try a lot of posible solutions, usualy when i submit a code show me a black box on the bottom and some other times it show me the box with the message but the level still incompleted. I think that the filter when i submit the <script>
or </script>
word then in the result remove it. Is that true? Else i wanted to know if i need to try for disable filter or to put a code that have the same result with this <script>alert('HackThis!!');</script>
but isn’t the same code. Finaly for complete the level i need to have as result the message “HackThis” ? Please I have try a lot of codes that i don’t know what to do. Please give me a hint.
Yes, it is exactly what it is happening, there is a filter that is trying to prevent XSS injections… your objective for this challenge is to bypass this filter in order to make the page alert.
And again yes, you need to use exactly the same injection shown by the level description:
<script>alert('HackThis!!');</script>
My suggestion is to try an injection and then look at the source of the page to see how it gets filtered… and then find a workaround.
9 years ago
0
Thanks [quote=MrCyph3r]Yes, it is exactly what it is happening, there is a filter that is trying to prevent XSS injections… your objective for this challenge is to bypass this filter in order to make the page alert.
And again yes, you need to use exactly the same injection shown by the level description:
<script>alert('HackThis!!');</script>
My suggestion is to try an injection and then look at the source of the page to see how it gets filtered… and then find a workaround. [/quote]
Ok so I try this code <body onload=alert('HackThis!!')>
and i get the message “HackThis!!” but again i show the empty black box. So i take a look in the page source and the only difference that i can see is that my code <body onload=alert('HackThis!!')>
is with red color without missing anything. Next i try the code that is in the level desciption <script>alert('HackThis!!');</script>
and as usualy in the black box i see this >alert(‘HackThis!!’); , that means that the page filter only <script>
and </script>
as i write in my first question. So maybe needs to disable the filter by some way and next to execute exactly this code, or to add or remove something in the code? <script>alert('HackThis!!');</script>
<body onload=alert('HackThis!!')>
This is not what you need to do, the challenge states:
“Bypass the filter and execute exactly this code”
So you need to find a way to circumvent the filtering and enter the alert exactly as requested by the challenge:
<script>alert('HackThis!!');</script>
Of course it will be filtered out… as I said, the objective of the challenge is to bypass the filtering function.
9 years ago | edited 9 years ago
0
I just try this code <script>alert('HackThis!!');</script>
and i get as result in the bottom of the page > which is exactly the code of the description <script>alert('HackThis!!');</script>
but i do not get any message. So i am on the right way? Or needs to find some tags that can replace the tags ?<script>
and </script>
Have you not read undeundetectedtected anywhere?
And @dloser said many many many times!
[quote=dloser]As said many times before: the goal is not to display the code but to execute it.[/quote]
A beginner practices until he gets it right, a professional practices until he can’t get it wrong!
9 years ago
0
I have read about undeundetectedtected almost in every thread but i still do not uderstand exactly the meaning of this. Anyway i wanted to know if needs to find a tag that can replace the <script>
code and by this way to confuse the filter and execute the code thats is on the description.
That hint is not random, if you don’t know what is the meaning of it, it would be better to see what the filter does and then look at the hint!
A beginner practices until he gets it right, a professional practices until he can’t get it wrong!
9 years ago
0
I think that the filter simple remove <script>
and </script>
and by this way the code is unable to execiute.
A beginner practices until he gets it right, a professional practices until he can’t get it wrong!
9 years ago
0
Finaly i did it!!! Thanks a lot !! :D