frncscrlnd's writeups

Writeups from challenges and CTFs i take part in.

Project maintained by frncscrlnd Hosted on GitHub Pages — Theme by mattgraham

Stage 6

What you have to do:
Inject the following JavaScript command: alert(document.domain);

Hint: event handler attributes.

Everything in the code looks normal, but trying the same payload as Stage 2 ("><script>alert(document.domain)</script>) doesn’t work: 6.1

This means that user input is “html-escaped/encoded” and that the < and > signs get encoded to &lt and &gt. The hint suggests we try to use event handler attributes to avoid typing the encoded signs < and >; we’ll try using the onclick event handler, but you can try onmouseover, onsubmit or what else you want: onclick="alert(document.domain)" 6.2

Clicking (or hovering, if you put on mouse over) on the textbox will complete the challenge.