1. Web Security Academy
  2. Cross-site scripting
  3. Contexts
  4. Lab

Lab: Reflected XSS in a JavaScript URL with some characters blocked


This lab reflects your input in a JavaScript URL, but all is not as it seems. This initially seems like a trivial challenge; however, the application is blocking some characters in an attempt to prevent XSS attacks.

To solve the lab, perform a cross-site scripting attack that calls the alert function with the string 1337 contained somewhere in the alert message.