Our challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic. Please practise hacking on our challenges manually.
Failure to abide by the rules will put you at risk of being restricted from using our free challenges.
Can you find any XSS on this "harmless" page?
Cross Site Scripting (XSS)
Completed the challenge?
You can browse the intended solution to this challenge below.
If you browse the source code to the page via
When hunting don't make life harder for yourself! Look for common keywords and patterns, which in this case you can see:
var cfpPid= cfpAlphaParam("pid",0);
var cfpClick = cfpParam("clk");
var cfpOrd = cfpParam("n");
So we know that
cfpParam(). The fact that you have not only variables (defined via
var), but also the keyword
param should signal to you that's something happens here.
#. If you use
https://www.bugbountytraining.com/challenges/challenge-8.php#clk="></script><script>alert(0)</script> and inspect element then you will see your payload hasn't worked.
It is writing it to the document with the src wrapped in
' - So the final payload:
There is also the parameter
n which is handled exactly the same: