Random ramblings in Infosec

XSS Challenge – Sh*t it’s a WAF

During my research on a well known bug bounty program i came across a tricky XSS vulnerability that had some type of WAF filtering. I always like to play with WAFs so I tried to test the WAF and understand how it works. After doing few tests I found a weakness in the WAF and I’ve managed to bypass it and execute a cool alert box, however my payload had a mild user interaction. So I made this challenge out of it exactly as it was on the bug bounty website.

I already solved the challenge and to proof that I’ve posted my solution into secret gist on github saved at 15 Feb 2016

Your Mission: Bypass the WAF and inject XSS payload that execute alert(1337)

Rules of the Challenge:
1) The payload should be working on the latest version of modern browsers (FF44+, Chrome 48+, Edge)
2) Mild user interaction is allowed (clicking, etc ..)
3) Try to make a payload that bypass the XSS auditor in Chrome or Safari (if it’s possible)

if you solved it , send me an email with subject “XSS Challenge Solution” to challenges[at]

Challenge Link:

I’ll do a write-up soon with my solution with a detailed explanation how it works and hopefully with other cool solutions i would receive from you. I hope you will have fun and enjoy this challenge as I did :)


Post a comment

  • Human Verification*: