🎃 Spooky SSC CTF 🎃

💉 XSS Ghost

Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into web pages. Can you find the vulnerability?

Your Mission: Inject JavaScript code into the search form to trigger an XSS vulnerability!

💡 Challenge Overview

Goal: Inject JavaScript code into the search form.

Difficulty: Intermediate - XSS fundamentals!

Time to complete: 5-10 minutes

Key Learning: XSS allows code injection into web pages!

💉 The XSS Ghost Challenge

Cross-Site Scripting (XSS) allows attackers to inject malicious JavaScript code into web pages. This search form has a real vulnerability!

🛠️ How to Solve This Challenge:

  1. Try basic XSS payloads in the search box:
    • <script>alert('XSS')</script>
    • <img src=x onerror=alert('XSS')>
    • <svg onload=alert('XSS')>
  2. Look for the flag - The system will detect your XSS attempt and show the flag
  3. Try the word "flag" - Sometimes just mentioning it triggers detection

🔍 What You're Learning:

  • XSS Fundamentals - How malicious scripts can be injected into web pages
  • Input Validation - Why websites need to sanitize user input
  • Client-Side Security - How browsers execute JavaScript
  • Attack Vectors - Different ways to trigger XSS vulnerabilities

💡 Pro Tips:

  • Start simple - Try basic alert() functions first
  • Bypass filters - If one method is blocked, try alternatives
  • Use browser dev tools - Check the console for errors
  • Real-world impact - XSS can steal cookies, redirect users, or deface sites

🔍 The Haunted Search Engine

This search engine is supposed to help you find spooky content, but it has a vulnerability...

Enter a search term to see results...

🔍 XSS Attack Vectors (Try These!):

Note: The search results are vulnerable to XSS - your input is inserted directly into the HTML!

Challenge: Inject JavaScript code to execute an alert popup and get the flag!

🏁 Submit Your Flag

🏠 Back to Main Page