Results 1 to 3 of 3

Thread: prompt(1) to win XSS Challenge Share/Save - My123World.Com!

  1. #1

    prompt(1) to win XSS Challenge

    function escape(input) {
    // tags stripping mechanism from ExtJS library
    // Ext.util.Format.stripTags
    var stripTagsRE = /<\/?[^>]+>/gi;
    input = input.replace(stripTagsRE, '');

    return '<article>' + input + '</article>';
    }


    The stripTagsRE is filtering few characters. So our payload should to obfuscated in order for us to execute our javascript. I tried obfuscating all the character which are being filtered. Below is my payload given as input. Still I couldn't popup a prompt()




    Obfuscated payload: '&lt&#47&#1art&#x69;cle&GT';&ltscrIpt&GTprompt(1); &lt&#47&#1scrIpt&GT

    deobfuscated : '</article>';<script>prompt(1);</script>


    Can you guys give me a hint where am i going wrong, I would appreciate if anyone helps with getting close to the answer rather than giving the correct answer

    This is the link incase you want to check out http://prompt.ml/1

  2. #2
    Hi.

    I too am a beginner, so please correct me if I go wrong somewhere.

    Obfuscation doesnt always work.

    Although on display you can see &gt; as >, but in the background it still is &gt; as the HTML source says.

    I would suggest going for something else, that doesn't require obfuscation.

    And study the regex properly to know what chars are they filtering.

    Regexper is a great tool to visualise regex. Hope that helps.

  3. #3

    Yeah! I realized it later.. was then able to popup a prompt..

    Quote Originally Posted by brut3f0rc3 View Post
    Hi.

    I too am a beginner, so please correct me if I go wrong somewhere.

    Obfuscation doesnt always work.

    Although on display you can see &gt; as >, but in the background it still is &gt; as the HTML source says.

    I would suggest going for something else, that doesn't require obfuscation.

    And study the regex properly to know what chars are they filtering.

    Regexper is a great tool to visualise regex. Hope that helps.
    Yeah! I realized it later.. was then able to popup a prompt..

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •