WEBVERSE

Loading...

mediumReflected XSSPro

Canal Cove Books

The owner watched a tutorial on XSS and wrote two regexes. Two.

Unlock with Pro

The Scenario

Canal Cove Books is a neighborhood used-book shop with a search over 40,000 titles. The owner added "security" — strip <script>, strip on*= handlers. He reads Hacker News now. The one thing he didn't account for is that not every way to run JavaScript looks like a script tag or an event handler.

Challenge Intel

Synopsis

Script tags and event handlers are stripped. Iframes aren't.

What It Is

A Flask book catalog with a two-rule filter on the search field.

Who It's For

Someone who's beaten a single-rule blocklist and wants the two-rule version.

Skills You'll Practice

  • Identifying layered filter holes
  • iframe srcdoc + HTML entity encoding
  • Smuggling a script through an attribute that accepts HTML

What You'll Gain

  • Awareness that not all JS-carrying attributes start with 'on'
  • Familiarity with srcdoc as a script-hosting vector

Ready to hack Canal Cove Books?

Upgrade to Pro to unlock this challenge and the full library.

View Pro Plans