Admin I — Web 100
Can you alert(1) this page (in firefox)?
Sure, I’ll take that challenge: the page asks if you can achieve an xss of alert(1) and gives you a link with the injectable parameter (http://xss1.sect.ctf.rocks/?xss=stuff). The resulting script on the page looks like this:
<script> dontrunthisscript(); var a = “stuff”; </script>
No matter what you inject to replace “stuff”, you will find that the code will not run since it attempts to call dontrunthisscript()first, which isn’t defined. Additionally the “<” character was filtered out, so we couldn’t just make our own new <script> block :( .
|The console is mad at us for trying to run it :(|