Web - Client

Hi (:

I’ve try to send payload in contact page. my payload include script, src. src attribute is redirected to my remote server (html code) and my html codes includes body, onload, submit and form but it doesnt work. My strategy is like this: first admin read my comment, comment include hidden script then running and redirect my malicious html site, in html form action="http://challenge01.root-me.org/web-client/ch22/index.php?action=profile" and then all inputs fill automatically then send with body onload method.
I tested html code myself and I get "You’re not an admin!" error. I need little hint too ):

Thanks All

Hello sBayt,

You can directly send your html code using the form instead of using a remote server. You don’t need that for this challenge

Thanks a lot! yes1  😄

I thought so much in vain.

Hi all,
I think that with the remote host he was able to know that there was an XSS in the contact form.
Isn’t it? Or there is an other way to discover blind xss?
Thank you!