Web - Client

I find the posion of ’[Th1b4ud : spoil]’ that may exist XSS，but it filter space,",’,and any more，and i try encode ,but it doesn’t make work
can you give some tips?
this is my last XSS challange ,thks.

yep it filters a lot of things
find a way to not use them

there is still a way to use string without quotes in the js world. if you don’t know it on top of your head, it’s probably something you haven’t come across yet. sometimes we just don’t know what we don’t know. keep learning new stuff. something to do with strings, but not strings.

Hi, I was wondering how a function can be executed without parentheses. Perhaps I found where to inject code but my approach needs a custom function, but I can’t define one or execute one because ’">()+ are filtered. Am I on the right track?

Hi,

You are describing a problem, you are not giving any track

Okay I’m trying to modify the Random.url and send the payload to the Contact form, the bot might run it and I retrieve the cookie.
Avoiding to spoil

you can try that, you’ll see if it works

Yay, thanks for the sign that I’m doing right. I found a way to make it works, but no response from the bot. Do I have to reduce the nickname length to 20?

well, i can not answer to all steps that you might encounter. if the bot does not respond it’s already an answer.
keep trying different things :)

ha I was mistaken, the bot does respond but I think it’s myself. Found the flag, thanks

bravo ! you’re welcome :)