I’m a big fan of XSS and to make my new website more visible to the infosec guys I’m offering two Amazon gift cards.
The first correct solution will have a $50 Amazon Gift card. The second one will receive $25 Amazon Gift card.

The rules are simple (like the challenge). Show a alert box in the following vulnerable code with a message containing the word xss.

[code lang=”html”]
function go()
var w = location.hash;
w = w.replace(/[‘", ]+/g, "");
document.getElementById("say").innerHTML = w.substring(0,26);

<div id="say"></div>

<a onclick="go()">Say it</a> [/code]


  • You can’t use some of the chars represented in the w.replace line of code
  • You can only use Chrome, Firefox, Opera, Internet Explorer or Safari latest versions
  • XSS vector must be less or equal to 26 chars long
  • When commenting your entry use the [ code]code[ /code] to write your code (without the leading space)

The challenge will end on 19 august at midnight. All the solutions must be added in this post comments.
All the comments will be inactive until the challenge finishes.

UPDATE: I’ll give a bonus to the user who replies with the most creative XSS.

Good luck! Happy hunting 🙂

16 Replies to “Win $50 Amazon Gift card with a XSS challenge”

  1. We could use the following payload to execute an alert with the word XSS , simple but effective ^^

    Tested on Firefox 40.0

    Have fun 🙂

  2. [code]function go()
    var w = location.hash;
    w = w.replace(/[‘", ]+/g, "");
    document.getElementById("" onclick=alert(1)//*/alert(1)//").innerHTML = w.substring(0,26);

    <div id=""; onclick=alert(1)//*/alert(1)// ">;

    <a>" onclick=alert(1)//*/alert(1)// ‘ </a>[/code]

Leave a Reply