HACKR.GG
hackr.gg — The Search Bar — Crapazon Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

The Search Bar — Crapazon

Cross-Site Scripting (XSS) · Reflected Cross-Site Scripting (XSS)
Difficulty
Beginner
Vuln class
Reflected Cross-Site Scripting (XSS)
Steps
4
// Objective
Inject a JavaScript payload into the Crapazon product search bar that executes in the browser and reveals the flag.
// Tools required
BrowserDeveloper Tools
// Step-by-step walkthrough
1
Use the search feature
Open the Crapazon app and use the search bar to search for any product. Notice that your search term is reflected back on the results page — e.g. "Showing results for: shoes".
Whenever a page echoes your input back into the HTML, it is a candidate for reflected XSS.
2
Confirm unsanitised reflection
Search for a string containing an HTML tag. If the tag renders rather than being displayed as text, the application is not encoding output.
Command / Input
<b>test</b>
Output
Page displays "Showing results for: test" in bold — the <b> tag was rendered, not escaped.
3
Inject a script payload
Replace the HTML tag with a script tag to execute JavaScript.
Command / Input
<script>alert(1)</script>
Output
An alert box appears with "1". XSS confirmed.
If the browser blocks inline scripts due to CSP, try an event-handler payload instead: <img src=x onerror=alert(1)>
4
Read the flag
The flag is stored in a JavaScript variable on the page. Access it through the console or your payload.
Command / Input
<script>alert(FLAG)</script>
Output
HackrGG{cr4p4z0n_s34rch_x55}
In a real attack you would replace alert() with fetch() to exfiltrate the victim's session cookie to an attacker-controlled server.
// Flag
Flag value
HackrGG{cr4p4z0n_s34rch_x55}
Revealed when your XSS payload executes in the search results page.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute