Cross-site scripting (XSS)
XSS Challenge: The Feedback Forum
Scenario:
Craw.in is launching a new internal feedback forum for employees. The developers quickly built a basic site where users can submit feedback. They haven't had a chance to implement proper input sanitization yet.
Challenge 1: The Basic Greeting
Question:
The feedback form displays a "Welcome" message using the user's name entered in a previous page. Can you inject JavaScript code to display an alert box with the text "Hello Craw.in!" when the page loads? Enter the XSS payload that triggers the alert.
Challenge 2: Cookie Theft (Simulated)
Question:
Instead of a simple alert, can you modify the script to try to "steal" a cookie (represented by displaying the document.cookie value in an alert box)? This is a simplified simulation of what an attacker might do. Provide the payload.
Challenge 3: Bypassing Simple Filtering (Angle Brackets)
Question:
The developers have implemented a basic filter that removes angle brackets (< and >). Can you bypass this filter and still execute JavaScript? Use an <img> tag with an onerror event.
Challenge 4: Bypassing Case Sensitivity
Question:
The developers added another filter that converts all input to lowercase. Can you bypass this filter? Use the img tag with onerror but with different capitalization for the tag name or event.
Challenge 5: Bypassing Attribute Encoding
Question:
The developers have now encoded HTML attributes. So, it will encode " to ". Can you still inject JavaScript? Try using javascript: in an href attribute of an <a> tag.
Challenge 6: Event Handlers without tags
Question:
The developers are still trying, and now encoding href. Can you trigger XSS without any tags at all?