Hello friends how are you doing? This is Osama and in this example i will be covering the 4 example of Cross Site Scripting of our series of Web For Pentester. And as we move forward in this course the challenges provided in the Lab will get hard and really interesting to solve and a fun way to learn more about your own skills and how the web application works. If you haven’t seen the previous example that we solved then here is the video reference to that post. Example-1 , Example-2 and Example-3 here.
So in this article we will be covering the example 4 of the Cross Site Scripting section so in this example what is happening in this is that all the script tag are being striped out no matter how you write it so how we can bypass it ? The answer is simple use an other payload which don’t use script tags and use other tag to trigger the xss.
In this example things are starting to get a bit trickier. Here any use of the word script will halt the web app.
So in this case we must use a payload that works around this..
http://[yourlab]/xss/example4.php?name=<img src=’nonexistant’ onerror=’alert(“xss”)’ />
and this will get execured.
Here is the Video POC.