XSS DETECTED! Alert was called!

Advanced XSS Lab

WAF Bypass | CSP Evasion | Filter Bypass | Advanced Techniques
ADVANCED

Challenges

1 WAF Bypass - Script Tag Blocked 2 WAF Bypass - Event Handler Blocked 3 WAF Bypass - Case & Encoding 4 CSP Bypass - Nonce 5 CSP Bypass - unsafe-inline blocked 6 Mutation XSS (mXSS) 7 Blind XSS 8 Polyglot XSS
Level 8: Polyglot XSS
Your input is reflected in THREE contexts simultaneously: (1) HTML body, (2) inside a JS string var x = 'INPUT', (3) inside an HTML attribute value="INPUT". One payload must trigger XSS in ALL three!
Expert
Polyglot Challenge: Your input appears in 3 contexts. One payload must work in ALL:
1. HTML Body: <div>INPUT</div>
2. JavaScript String: <script>var x = 'INPUT';</script>
3. HTML Attribute: <input value="INPUT">
Show Hint
A polyglot payload like: ' onfocus=alert() autofocus x='</script><img src=x onerror=alert()> or jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//\n. For this lab, craft something that breaks out of the JS string AND the attribute AND works in HTML.