27
by MKmoderate in Challenge Help about open - report
XSS 2 - Basic 41
Hey All,
I've asked about this before. But I'm having trouble with the injection aspect. Nothing from OWASP's filter evasion cheat sheet for XSS works. It seems like it's using htmlspecialchars() or htmlentities() which would lead me to UFT-7 injection but the header is already set forcing UTF-8, so no dice. Should I be focusing on event based injection?
Will I be able to get an alert as a proof of concept, or is the PoC going to have to be a cookie stealer due to the design of the challenge? That should give me some insight on exactly what type of resource I might use to transfer the cookies to my stealer.
Thanks!
2
by newbieGuy about
All I know is you must create a webserver and create a cookie stealer script.
116
by Nightraven about
Hello sir. Can you send me a PM with your injection and where you inject it? Then I can give you pointers. I'm not entirely sure what you are doing.