HackCommunity XSS challenge

1llusion · 09-26-2012, 02:55 PM

Hello!

I've decided to make a little XSS challenge for you to test your skills on. The challenge will be updated so don't forget to come back every now and then!

How it works:
If you are the first one to solve one of the challenges, you will win a HC XSS Challenge award. Also your nick will be added to this thread.

To claim your award, reply to this thread using this form:

Code:
[b]Challenge no.:[/b]

[spoiler]

[img]*DIRECT IMAGE URL*[/img]

[b]Vector:[/b]

[/spoiler]

Rules:
=> You CAN'T claim your award through a PM. Solve only 1 challenge per post. Don't forget, its not allowed to dual post.
=> The challenge is considered solved if you find a way to pop-up an alert box. Simple HTML injections such as:

Code:
<h1>XSS</h1>

is not considered as a valid solution.

Example:
Challenge no.: 1

Spoiler:

If the challenge has been solved, you WON'T get an award for solving it. But don't worry, there will be new challenges added Smile

So are you ready for the challenge? Go to: http://www.hackcommunity.com/xss/ and have fun!

Challenge solvers:

Shining White
killerOfCode
Shining White
Snipa
StormHasHe
StormHasHe

NOTE: If you have any problem or get stuck. Feel free to ask for help Smile

Google Chrome browser has in-built XSS prevention system. The challenge might NOT work on this browser. The challenge was tested and worked on: Firefox (newest version)

Cheat sheets:

Shining White · 09-26-2012, 03:24 PM

Challenge no.: 1

Spoiler:

in a hurry for a night func : , will come back soon for update Biggrin

Dawnc0re · 09-26-2012, 06:06 PM

You could solve the first one by having some basic skid knowledge - Google.

http://gyazo.com/33eae758a9d8fceddb0fa50...1348678038

HAX!

1llusion · 09-26-2012, 06:37 PM

(09-26-2012, 06:06 PM)Dawnc0re Wrote: You could solve the first one by having some basic skid knowledge - Google.

http://gyazo.com/33eae758a9d8fceddb0fa50...1348678038

HAX!

I didn't want the challenges to be hardcore from the beginning. These 5 challenges are very basic (last 2 might give you a little headache but its kinda simple). Wait for some alternative syntax XSS challenges etc. Tongue

EDIT: Made the CSRF protection a bit less strict so you can care more about XSS and less about correct sid Tongue

1234hotmaster · 09-26-2012, 07:58 PM

http://i.minus.com/idDXCT903e9wG.png

I didn't get how that was a challenge, just typing Javascript instead of the text that was supposed to be displayed XD

1llusion · 09-26-2012, 08:00 PM

(09-26-2012, 07:58 PM)1234hotmaster Wrote: http://i.minus.com/idDXCT903e9wG.png

I didn't get how that was a challenge, just typing Javascript instead of the text that was supposed to be displayed XD

The first one should just test if there are any problems with your browser etc. Tongue

just a warm up Tongue

killerOfCode · 09-26-2012, 08:32 PM

Challenge no.:

Spoiler:

Challenge no. 2:

Spoiler:

1llusion · 09-26-2012, 09:09 PM

(09-26-2012, 08:32 PM)killerOfCode Wrote: Challenge no.:

Spoiler:

Vector:<script>alert("hello!");</script>
Challenge no. 2:

Spoiler:

Vector:";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

Added you to the list of solvers Smile

However, your vector could be a lot shorter. The first alertbox doesn't even execute Smile

1234hotmaster · 09-26-2012, 09:10 PM

Well looking at JS i just noticed there is the String.fromCharCode function XD

I feel like I'm forgetting all of these... I still remember my old XSS tunnel setup Biggrin

Dawnc0re · 09-26-2012, 09:47 PM

Can admins see the submited logs?
I hope they can x)

Damnit, i need to improve my h4x sk1llz.

HackCommunity XSS challenge
Author Message