XSS DETECTED! Alert was called!

Advanced XSS Lab

WAF Bypass | CSP Evasion | Filter Bypass | Advanced Techniques
ADVANCED

Challenges

1 WAF Bypass - Script Tag Blocked 2 WAF Bypass - Event Handler Blocked 3 WAF Bypass - Case & Encoding 4 CSP Bypass - Nonce 5 CSP Bypass - unsafe-inline blocked 6 Mutation XSS (mXSS) 7 Blind XSS 8 Polyglot XSS
Level 3: WAF Bypass - Case & Encoding
The WAF blocks <script>, all on*= handlers, AND the functions alert(), prompt(), confirm(), eval(). Bypass using encoding or indirect calls.
Hard
WAF Active
Blocked patterns: <script, on*=, alert(), prompt(), confirm(), eval()
Show Hint
Use indirect function calls: window['al'+'ert']() or [].constructor.constructor('alert()')() or top['al'+'ert']()