You have not logged in. Access is limited, Please login to get full Access

Cross-site scripting (XSS)

Cross-site scripting (XSS) is a web security vulnerability that allows attackers to inject malicious scripts into webpages viewed by other users. These scripts, typically written in JavaScript, can steal cookies, session tokens, or other sensitive information, and even perform actions on behalf of users. XSS occurs when user input is improperly validated or sanitized. There are three main types: stored, reflected, and DOM-based XSS, each targeting different parts of the application.

Task 1 XSS Challenge: The Feedback Forum

Scenario:
Craw.in is launching a new internal feedback forum for employees. The developers quickly built a basic site where users can submit feedback. They haven't had a chance to implement proper input sanitization yet.

Answer The Questions

Challenge 1: The Basic Greeting
Question:
The feedback form displays a "Welcome" message using the user's name entered in a previous page. Can you inject JavaScript code to display an alert box with the text "Hello Craw.in!" when the page loads? Enter the XSS payload that triggers the alert.

Challenge 2: Cookie Theft (Simulated)
Question:
Instead of a simple alert, can you modify the script to try to "steal" a cookie (represented by displaying the document.cookie value in an alert box)? This is a simplified simulation of what an attacker might do. Provide the payload.

Challenge 3: Bypassing Simple Filtering (Angle Brackets)
Question:
The developers have implemented a basic filter that removes angle brackets (< and >). Can you bypass this filter and still execute JavaScript? Use an <img> tag with an onerror event.

Challenge 4: Bypassing Case Sensitivity
Question:
The developers added another filter that converts all input to lowercase. Can you bypass this filter? Use the img tag with onerror but with different capitalization for the tag name or event.

Challenge 5: Bypassing Attribute Encoding
Question:
The developers have now encoded HTML attributes. So, it will encode " to ". Can you still inject JavaScript? Try using javascript: in an href attribute of an <a> tag.

Challenge 6: Event Handlers without tags
Question:
The developers are still trying, and now encoding href. Can you trigger XSS without any tags at all?

Cross-site scripting (XSS)

Task 1 XSS Challenge: The Feedback Forum

Email Verification Required

Admin Panel