Ugandan Knuckles PwnFunction XSS Solution

Ugandan Knuckles is a very simple PwnFunction XSS level, it teaches you on how to implement the code directly into the html Tag element.

So let’s start by analyzing the code first

PwnFunction XSS Ugandan Knuckles Code

So just like the previous levels, the code gets a GET parameter with the name “wey” and if that parameter is empty then the vale would be “do you know da wey?”

then there is a regex that removes the following elements “[]<>” so we can’t use <script> in our payload

finally and that’s what we will exploit, we add an HTML element with the value we can pass as “GET” parameter.

Let’s analyze what we can do first, we agree that we can’t use any <script> tags, and we can’t close the input tag with “>” and put our own, but, the code doesn’t check for closing double quotes which means we might be able to close the placeholder and run something.

but what is that “something”, well, there are things called JavaScript event, there are a long list of events that works with different HTML elements , so you can check what are the events that can work with ‘input’ element from here

Since we want the minimal user interaction, i will use onFocus event, which fires a code when the input text is selected via mouse or even via keyboard and before the user start typing anything.

so we got the basic understanding of what we need to do, let’s craft it

The basic code as it is right now looks like this

<input type="text" placeholder="${wey}" class="form-control">

so let’s close the place holder first

<input type="text" placeholder=""" class="form-control">

now we need to add our event

<input type="text" placeholder="" onfocus=alert(1337)" class="form-control">

Now you might think this is enough but now we need the XSS to run automatically, for that we can use an attribute called ‘autofocus’ that will tell the browser to focus on that element when the page loads, so we need to change our code a bit to be like ( the other double quotes is to close the attribute otherwise you will get something like this (autofocus”=””) in your HTML)

<input type="text" placeholder="" onfocus=alert(1337) autofocus "" class="form-control">

perfect, so the final payload would be something like this

" onfocus=alert(1337) autofocus "

the alert will not show when you load the page since input doesn’t support ‘onload’ event, so you need to click on the input field and the script will fire.

And this is the solution for Ugandan Knuckles PwnFunction XSS