RHAinfoSec XSS Challenge - 1

Welcome readers,

This turns out to be the first post of the Year 2014, I would like to start this post by wishing you a very happy new year, sorry for the delay as i was extremely occupied with my final examinations. And as they are over by now, i would like to start this year by putting up a small challenge for my readers. 

Recently, we had released our "XSS Filter Evasion Cheat Sheet", i was extremely overwhelmed with the response of the readers, the downloads have surpassed an amazing figure of 4500+ and more are coming every day. Therefore, i thought to put up a challenge, which would force you to use the techniques you would had learned from the cheat sheet and put you to the test. 

The challenge is based upon a WAF (Web Application Firewall) we encountered recently while pentesting a website, as it's against our policies and TOS to disclose the website which we were up against, however i was able to reverse engineer the rules and therefore managed to create my own filter simulating the rules of the one which we were up against.

Challenge Link

Special thanks to Mr prasad, for deploying the challenge upon his server. 

• http://rafay.prakharprasad.com/

Challenge Goals

• The challenge goal is to execute the javascript.
• Your payload must render javascript inside any modern browser. 
• The XSS protection header has been set to 0, which would turn off your client side XSS filter. 

Tips

• If all you can do is "><img src=x onerror=prompt(1);>, then this challenge is not for you. 
• The WAF can be very hard, if you don't know how to properly reverse engineer filter rules. 
• The solution for the challenge has already been given inside my "XSS Filter evasion Cheat sheet", However you would need to tweak the payload.
• Your scanners won't help here, so don't waste your time with them. 

Submissions

Sumbit your vector to rafayhackingarticles@gmail.com or prakhar@prakharprasad.com, once you have cracked this challenge.