WEBVERSE

Loading...

easyReflected XSSPro

Sprocket Line

A bike-parts shop paid good money for a filter that strips 'script'. Only that.

Unlock with Pro

The Scenario

After a phishing near-miss, Sprocket Line's owner hired someone to "add security." He got one line of PHP that strips <script> from input — and a two-page invoice. The owner feels much better now.

Challenge Intel

Synopsis

The filter only blocks one tag name. Pick another.

What It Is

A PHP storefront with a laughably narrow script-tag blocklist on the search field.

Who It's For

Newcomer to filter bypass.

Skills You'll Practice

  • Recognising a naive substring blocklist
  • Pivoting from <script> to event-handler XSS

What You'll Gain

  • First bypass-a-filter win
  • Confidence that bad filters are common

Ready to hack Sprocket Line?

Upgrade to Pro to unlock this challenge and the full library.

View Pro Plans