Can you find any XSS on this "harmless" page?

Important information

Our challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic. Please practise hacking on our challenges manually.

Failure to abide by the rules will put you at risk of being restricted from using our free challenges.

Begin challenge

Easy Cross Site Scripting (XSS)

This is just a static page with some basic javascript, but what's it do, and is anything vulnerable?

Completed the challenge?

You can browse the intended solution to this challenge below.

Solution

If you browse the source code to the page via view-source: then you will see some interesting javascript, and at first, most may think, "what's this do?!".

When hunting don't make life harder for yourself! Look for common keywords and patterns, which in this case you can see:

var cfpPid= cfpAlphaParam("pid",0);
var cfpPrBase="https://www.bugbountyhunter.com/";
var cfpClick = cfpParam("clk");
var cfpOrd = cfpParam("n");

So we know that cfpPid, cfpClick, cfpPrBase and cfpOrd are set as javascript variables, and some call a function cfpParam(). The fact that you have not only variables (defined via var), but also the keyword param should signal to you that's something happens here.

Since the code is javascript we have to interact with #. If you use https://www.bugbountytraining.com/challenges/challenge-8.php#clk="></script><script>alert(0)</script> and inspect element then you will see your payload hasn't worked.

Look more closely at the javascript.

document.write("<script src='"+pr_s+"'><\/script>");

It is writing it to the document with the src wrapped in ' - So the final payload:

http://www.bugbountytraining.com/challenges/challenge-8.php#clk='></script><script>alert(0)</script>

There is also the parameter n which is handled exactly the same:

http://www.bugbountytraining.com/challenges/challenge-8.php#n='></script><script>alert(0)</script>

BugBountyHunter

Important information