二門
XSS Dojo · v1.2
道場への挑戦 Enter the Dojo
A PHP endpoint reflects your input through a chain of filters. The developer believes it is secure. Identify the flaw, craft your payload, and execute alert(document.domain) to claim your katana.
The Eight Gates — Read carefully
index.php — the eight gates (real source)
$q = $_GET['q'] ?? '';
// ── Filters applied before reflection ──────────────
// 1. Strip null bytes
$q = str_replace("\0", '', $q);
// 2. Cap length at 500 chars
$q = substr($q, 0, 500);
// 3. Block opening <script tags
$q = str_ireplace('<script', '', $q);
// 4. Block closing </script> tags
$q = str_ireplace('</script>', '', $q); // ← ?
// 5. Escape output
$q = addslashes($q); // ← ?
?>
// Reflected into the page inside a <script> block:
<script>
var __query = "<?= $q ?>";
</script>
⏱ Wait 5s
/ after all eight gates /
filtered output
⚠ This is text-only preview. The actual reflection is in a <script> block.
Use "URL" to test XSS execution via direct URL reflection.
二門突破 — Both Gates Breached
alert(document.domain) fired. Claim your katana.
Rules of Engagement
Goal
Execute
alert(document.domain) — not just any alert()Scope
This subdomain only. Do not attack surapura.in.
Two Modes
"Test Payload" shows filter output. "Launch Live" triggers real reflection via direct URL.
No Automated Fuzzing
Manual payload crafting only. Think, don't bruteforce.
Hall of Fame
侍の道 — Path of the Samurai
Resets with each new challenge
一
36dd
2026-02-23
⚔
二
0xnay33m
2026-02-23
⚔
三
lazy_sharaf
2026-02-23
⚔
Scrubz
2026-02-23
⚔
kaajukaatlee
2026-02-24
⚔
Soura
2026-02-24
⚔
binary_man
2026-02-25
⚔
neontechtra
2026-02-25
⚔
Hacknomious
2026-02-25
⚔
Fabrikat0r
2026-02-26
⚔
Mr_Deadsec_1747
2026-02-26
⚔
Check_Race_Condition
2026-02-26
⚔
trickns
2026-02-27
⚔