XSS DETECTED! Alert was called!

Advanced XSS Lab

WAF Bypass | CSP Evasion | Filter Bypass | Advanced Techniques
ADVANCED

Challenges

1 WAF Bypass - Script Tag Blocked 2 WAF Bypass - Event Handler Blocked 3 WAF Bypass - Case & Encoding 4 CSP Bypass - Nonce 5 CSP Bypass - unsafe-inline blocked 6 Mutation XSS (mXSS) 7 Blind XSS 8 Polyglot XSS
Level 4: CSP Bypass - Nonce
The page has CSP with script-src 'nonce-abc123'. Your input is reflected inside the href attribute of an anchor tag. Bypass the CSP!
Hard
Content Security Policy
CSP: script-src 'nonce-abc123'
Input is reflected in: <a href="INPUT">Click me</a>
Show Hint
CSP nonce applies to inline scripts, but javascript: URIs in href are NOT blocked by nonce-only CSP in some browsers. Try: javascript:alert()