David Sopas – Web Security Researcher

August 14, 2015 at 9:17 am

Win $50 Amazon Gift card with a XSS challenge

Win $50 Amazon Gift card with a XSS challenge

I’m a big fan of XSS and to make my new website more visible to the infosec guys I’m offering two Amazon gift cards.
The first correct solution will have a $50 Amazon Gift card. The second one will receive $25 Amazon Gift card.

The rules are simple (like the challenge). Show a alert box in the following vulnerable code with a message containing the word xss.

function go()
var w = location.hash;
w = w.replace(/['", ]+/g, "");
document.getElementById("say").innerHTML = w.substring(0,26);

<div id="say"></div>

<a onclick="go()">Say it</a> 


  • You can’t use some of the chars represented in the w.replace line of code
  • You can only use Chrome, Firefox, Opera, Internet Explorer or Safari latest versions
  • XSS vector must be less or equal to 26 chars long
  • When commenting your entry use the [ code]code[ /code] to write your code (without the leading space)

The challenge will end on 19 august at midnight. All the solutions must be added in this post comments.
All the comments will be inactive until the challenge finishes.

UPDATE: I’ll give a bonus to the user who replies with the most creative XSS.

Good luck! Happy hunting 🙂

Challenge # ,
Share: / / /

16 thoughts on “Win $50 Amazon Gift card with a XSS challenge

  1. Double post, probably chars were stripped from blog comments code. You should decode it before trying, anyway


    tested on firefox 😀

  2. Kenan says:
  3. .mario says:

    (Works on MS Edge, Win10)

    1. .mario says:

      Oh, also works on FF34+ (incl. latest). Not sure if Edge is allowed ^^

  4. Kenan says:
  5. Swissky says:

    We could use the following payload to execute an alert with the word XSS , simple but effective ^^


    Tested on Firefox 40.0

    Have fun 🙂

  6. RG says:

    This works (if you click on the big “a”):

  7. mohamed al-sagaaf says:
    function go()
    var w = location.hash;
    w = w.replace(/['", ]+/g, "");
    document.getElementById("" onclick=alert(1)//*/alert(1)//").innerHTML = w.substring(0,26);
    <div id=""; onclick=alert(1)//*/alert(1)// ">;
    <a>" onclick=alert(1)//*/alert(1)// ' </a>
  8. Fragile says:
  9. shhnjk says:

    Works on latest Firefox.

  10. <svg/onload=alert`xss`>

    Tested on latest ff

  11. Eminem says:
  12. Paresh says:

    Browser: Firefox
    Os: Windows

  13. Salem Elmrayed says:

    works on Microsoft Edge

Leave a Reply