This started as a curiosity. I wanted to find different ways to run JavaScript with heavily limited character sets. Then, after having so much fun with LightOS's awesome SQLi challenge (http://sla.ckers.org/forum/read.php?24,36040), I decided to turn one of my little experiments into a XSS Challenge :). This way people will have fun attempting to solve it, and I'll be able to learn from your solutions.

Here's the link to the challenge: http://tr3w.net/misc/challenges/ch2.php

Although payloads such as 'location=name' are very effective, I don't want to consider them as solutions because the challenge would not be very entertaining. It's fun to try to run JS without the aid of any external code, just by typing into the URL bar :P

Hope you like it!



Edited 1 time(s). Last edit at 03/19/2011 05:24PM by tr3w.

Very nice.
I did it :)

--
Yosuke HASEGAWA
http://utf-8.jp/

alerted cookie in 7 chars, or alert anything?

So here the rules state "just by typing into the URL bar" but at http://tr3w.net/misc/challenges/ch2rules.txt you say "only by typing directly into the GET parameter"...

So which is it?

@SW: alert coookie

@thornmaker: Sorry. It should be "just by typing into the URL bar". I corrected the discrepancy in the rules.

However, I closed the challenge a week ago and I'm no longer updating the leaderboard.