Welcome to very first ZD XSS challenge

Last update: 2013-05-12 11:21:52


  1. Scanners are useless
  2. Your vector should work in recent modern browsers (Chrome/IE/FF)
  3. Alert your name and challenge is done


  1. Focus on attributes and alternative Javascript execution vectors
  2. header("X-XSS-Protection: 0"); //is already set
  3. If challenge is not solved in 3 days, a filter will be removed



1. Mario Heidrich (.mario) & alex@insertScript (Prize: A Guide to Kernel Exploitation: Attacking the Core by Enrico Perla)
1. Masato Kinugawa (@kinugawamasato) (Also the winner, due to exceptional solution. Prize: A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security)
3. Be the last!

Send your solution
Follow US @ZD_Research

inject your code here :