Latest News

RHAinfoSec XSS Challenge - 2

Update: The results are announced here.

Welcome readers,

After a tremendous response with our first XSS challenge, we decided to make your lives a bit harder this summer by launching another XSS challenge. Like always, our challenges always challenging and based upon real world scenarios and the key to solving it mostly rely upon the ability to think outside the box.  
The challenge is based upon a a strong blacklist based protection, beware that the challenge may be very hard for you unless you don't understand the right injection context.   

    Challenge Rules/Goals

    • The challenge goal is to execute alert(1) inside the browser.
    • Your payload must render javascript inside modern browsers. 
    • The XSS protection header has been set to 0, which would turn off your client side XSS filter. 

    Challenge Link

    Special thanks to Mr Prakhar Prasad, for deploying the challenge. Alex Infuhr for beta testing and ideas with the challenge.  


    • If all you can do is "><img src=x onerror=prompt(1);>, then our humble apologies this challenge is not for you. 
    • The WAF can be very hard, if you don't know how to properly reverse engineer filter rules. 
    • You could refer to my "XSS Filter evasion Cheat sheet" for ideas on cracking this challenge.
    • Automated scanners won't help here as often time they fail at producing context based payloads. 


    Sumbit your vector to or, or you could DM on my twitter @rafaybalochonce you have cracked this challenge.

    No comments:

    Post a Comment

    Contact Us

    24x7 online , we happy to answer you , ,
    skype: greeenchip


    This Blog and its TUT's are intended for educational purposes only, no-one involved in the creation of this TuT may be held responsible for any illegal acts brought about by this Blog or TuT.

    Featured Post

    Custom Domains And HTTPS Redirection Code