Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS Challenge with a very limited char range
Posted by: tr3w
Date: March 15, 2011 05:02AM

This started as a curiosity. I wanted to find different ways to run JavaScript with heavily limited character sets. Then, after having so much fun with LightOS's awesome SQLi challenge (http://sla.ckers.org/forum/read.php?24,36040), I decided to turn one of my little experiments into a XSS Challenge :). This way people will have fun attempting to solve it, and I'll be able to learn from your solutions.

Here's the link to the challenge: http://tr3w.net/misc/challenges/ch2.php

Although payloads such as 'location=name' are very effective, I don't want to consider them as solutions because the challenge would not be very entertaining. It's fun to try to run JS without the aid of any external code, just by typing into the URL bar :P

Hope you like it!



Edited 1 time(s). Last edit at 03/19/2011 05:24PM by tr3w.

Options: ReplyQuote
Re: XSS Challenge with a very limited char range
Date: March 15, 2011 01:25PM

Very nice.
I did it :)

--
Yosuke HASEGAWA
http://utf-8.jp/

Options: ReplyQuote
Re: XSS Challenge with a very limited char range
Posted by: SW
Date: March 18, 2011 07:36AM

alerted cookie in 7 chars, or alert anything?

Options: ReplyQuote
Re: XSS Challenge with a very limited char range
Posted by: thornmaker
Date: March 26, 2011 12:33AM

So here the rules state "just by typing into the URL bar" but at http://tr3w.net/misc/challenges/ch2rules.txt you say "only by typing directly into the GET parameter"...

So which is it?

Options: ReplyQuote
Re: XSS Challenge with a very limited char range
Posted by: tr3w
Date: March 26, 2011 04:37PM

@SW: alert coookie

@thornmaker: Sorry. It should be "just by typing into the URL bar". I corrected the discrepancy in the rules.

However, I closed the challenge a week ago and I'm no longer updating the leaderboard.

Options: ReplyQuote


Sorry, only registered users may post in this forum.