Skip to content

Commit

Permalink
victim arg
Browse files Browse the repository at this point in the history
  • Loading branch information
@zardus
zardus committed Sep 5, 2024
1 parent 082237d commit dec4928
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 0 deletions.
1 change: 1 addition & 0 deletions web-security/level-8/DESCRIPTION.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,5 @@ To carry out such an attack, an attacker typically needs to trick the victim int
This is unlike a Stored XSS, where an attacker might be able to simply make a post in a vulnerable forum and wait for victims to stumble onto it.

Anyways, this level is a Reflected XSS vulnerability.
The `/challenge/victim` of this challenge takes a URL argument on the commandline, and it will visit that URL.
Fool the `/challenge/victim` into making a JavaScript `alert("PWNED")`, and you'll get the flag!
2 changes: 2 additions & 0 deletions web-security/level-9/DESCRIPTION.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,5 @@ In SQL, you have dealt with injecting into the middle of quotes.
In XSS, you often inject into, for example, a textarea, as in this challenge.
Normally, text in a textarea is just, well, text that'll show up in a textbox on the page.
Can you bust of this context and `alert("PWNED")`?

As before, the `/challenge/victim` of this challenge takes a URL argument on the commandline, and it will visit that URL.

0 comments on commit dec4928

Please sign in to comment.