No Color

The colours are not part of the challenge; ignore them. Make sure you don’t have any whitespace anywhere in the result. Some browsers might not show it.

Thank you dloser ;)

But have just added some letter and some caracter whit no space for sure at this and have what i want: same in box but incompleted.
I don’t know where i’m wrong but i know i’m wrong.

You might want to try that in couple of other browsers just to see how the output is displayed in each browser.

Thank’s i’m go to try that Gokou ;)

it’s not the browser, i don’t remeber having colors either :p
you can have that output but with a wrong input, at least i did :p
try variations it might help; good luck :)

Thank’s for luck, but i need more just luck to pass him !!!

be careful not to overthink it,
it’s not that complicated, try again with the ‘'hiding’‘ thing :p it’s an easy way to solve it, i'am not even sure there are many ways in fact :p

Thank you Chezare but i have try some changes but that doesn’t work

I don’t think it’s Spoiler cause that don’t work

My input is that

<script>alert(‘HackThis!!’);</script>

My output :

If i change for that change little the color or maybe the format but always same result ; No good !!!

Sure have try all leters and caracters and numbers !!! almost :P

Try to figure out what the filter is actually doing. That should make it clear(er) what needs to be done. Check the source for the actual output; it’s not about the rendered output.

Also, something not working doesn’t mean it cannot be a spoiler. At least put spoiler tags ([ spoiler ]…[ /spoiler ], no spaces here too :p) around your input.

as dloser said try to figure out what the filter does.
you’re close to the answer
wish i could help you more :p

thank you dudes !!!

Now I know what to do for my spoiler input;)

Now i have to pass this level whit your help i think, OK ,i’m try to understand what going on between my input and the output !!!

Same problemo. I don’t know if this is a spoiler or completely irrelevant but I notice that there is a hidden input in the form with a base 64 number called token. Is that important. I tried setting it to null and stuff like that - no avail. Am I barking up the wrong tree?

@_simple_sam

I don’t think that the token is relevant.
From what i know, the token is used to help protect against CSRF(Cross Site Request Forgery) attacks.

Aha… so this could well be spoiler. The reason that the characters have colors is they are in different elements. Am I getting warm —

Nope the chatacters colors are irrelevant.Then are only used when coding to make the code look better.I can give you a hint if you want :)

Yes the colors are irrelevant but I think I can get passed the encoding using the same idea. I’ll try it out. If I’m still stuck I will get back to you :)

Ok same thing. I can get written in the output the result –>

but still don’t pass the level. I tried using unicode to disguis the angle brackets. Same thing. I am quite stuck. Definitely hint time!

Since this level is not a real world scenario, only certain answers will work.
What you are doing may work in a real scenario,but since the levels are simulated only the right answer will work

undeundetectedtected

It doesnt have to be that complicated.
Keep this in mind
undeundetectedtected

undeundetectedtected
Have see this about 100 times in forum but maybe i’m to dumb for underunderstandstand :)

You and me both papashow. No Idea what to do …

yep !!! i love this website but that not my way to learn cause have a picturememory and here i’m lost now !!! i’m learning python and you have for learnong to cause is forforcedced !!! hihihihi good luck dude…

You don’t need the colors you just have to do alterations until you get it right. I had that script in the output but didnt work. I Tried many times with different techniques until I got it right.

Contrary to what has been said, this level is a “real-world scenario” and not simulated. The goal is to have code executed, so the output has to be such that your browser does indeed show an alert message. The goal is not to have the target code (with or without colours) shown on the page.

As I said before, figure out what is actually happening. Try various inputs and see what the output is. It should be pretty clear what happens. Once you know what happens, play with that to use it to your advantage.

@dloser
When I said that the level is simulated, I meant that the answer is simulated.
Any javascript code that is still valid after filtering will run successfully,but the website will not accept it as an answer.

And the goal isn’t to execute js code,it is to execute the supplied js code

Well, I’d say the main goal is to execute code, but, for the sake of being able to check the solution easily, specific code is required. In other words, the essence is not in being able to get the exact output, but in being able to exploit the filter.

Simulation is when instead of actually executing (vulnerable) code, you execute some (safe) approximation (e.g. nothing but a simple check on the input). In this case the vulnerable code is really executed. That the solution is verified with a simple check afterwards is not sufficient to call it simulated.

So then the challenge is to get the code to execute? Is there syntactically therefore more than one exact line of code that could achieve that result. Or are the filters set in such a way that there is only one exact line of code that will work?

There are many inputs that result in code execution. There is only one that is accepted as the solution and that is the exact one that is given in the challenge description.

Hi d ;) , ok guy’s where i can learn something about chage this code, maybe read about java ???

You are making me cry now… This has nothing to do with Java whatsoever.