XSS Bypass Challenge – 2 [Solutions]


As you know, XSS Bypass Challenges usually depends on knowledge of JavaScript, a good analysis on behavior of the web application and creativity. As in all my other challenges, that one was simulation of real life example that i experienced during penetration test, as well. We will have a look source code to understand what developer tried to fix XSS vulnerability and what he/she missed.

If you didn’t tried to bypass the Challenge yet. Please try yourself with it which you can reach directly via http://lab.mehmetince.net/h4ckm3/xss-2/index.php then you can come back here and continue to read rest part of the post.

First Thing First

I want to share names and their payloads who successfully bypassed Challenge.






Source Code

As you can see, there is something wrong with PHP part of the source code. First thing that I want to mention about addslashes() . This function convert each single quote to backslash + single quote which is beginning part of prevent inline-javascript XSS vulnerability.

Secondarily, the point that I want to emphasise will be about black listing specific HTML tags. If you -really- want to detect HTML tag from inside of the user user inputs, you have to be careful. In this example, most common html tags removed from user input via str_replace .  In order to bypass that security concept of PHP codes, we will focus on usage of str_replace. Please read following codes to understand payload.


To be honest, i like @0x90kh4n and @prakharprased solutions. Actually i used exactly the same payload with 0x90kh4n.

As you figure out, first step ile ending javascript tag with </scscriptript> and reopen it via <scscriptript>. After that call your remote JS file which it contains alert(document.cookie) method. And close your javascript tag with </scriscriptpt>. That’s all

In conclusion, I will prepare and post online new challenges which i experienced on during penetration test, again! Besides, next challenge will be about SQL Injection.