Xss

Dojo #15

by YesWeHack
drag_indicator
info
drag_indicator
inputs
drag_indicator
inspect

Web Application Firewall bypass - DOJO #15 (Until 25/02/2022)

HINT

It's good to have an understanding how firewall and browsers handle user input!

CHALL

  • Tell me a WAF that never been bypassed..?

GOAL

Find a way to inject JavaScript and change the value of "settings.user" to "Admin".

  • BRUTE FORCE IS NOT ALLOWED!

The valid solutions for the Cross site scripting (XSS) payload should meet all these requirements

  • Be able to outbreak the "alt" and execute JavaScript.
  • Change the value of the JavaScript variable "settings.user" to "Admin".
  • Output the changed value of "settings.user" as a JavaScript alert/popup display or inside the developer console in your browser.

It's NOT valid if it's outputted in the HTML source code. Just to make it a bit harder! ;)

To verify the value changed correctly

If your unsure if your payload changed the variable "settings.user". Uncomment the HTML code at the bottom to check!

Click the "pen icon" to the left to be able to uncomment. If your output of the value (alert/console) output is "Admin" and the last alert you uncommented also outputs "Admin". You then solved the challenge!

Story time

Brumens just got hired at EvilCorp as a tester. Hes first task was to setup the web application firewall (WAF).

He begin to configure the firewall to filter every kind of user input. He was to lazy to actually add some filter to the backend. He thought it was good enough to just have a firewall.

In the middle of the process he spilled his coffee at the keyboard by mistake and forgot to do the configuration properly. Luckily Tyrell wasen't at the office...

~ So if you exploit this XSS bug. Don't report it to Tyrell. I probably get fired! :P

I wish you luck! /Brumens

This DOJO was created by a community member! Want to create your own and publish it here? Send us a message on Twitter!

drag_indicator
waf
INPUT
OUTPUT
drag_indicator
code
drag_indicator
result