Rating:

## [Original/Source Writeup](https://bigpick.github.io/TodayILearned/articles/2020-10/b01lersbootcamp#reindeer-flotilla)

The website is just a simple page that echos back whatever we input in a text field.

From the description, we need to execute XSS. However, `<alert>` is blocked and not able to be entered into the box. Google searching for XSS alternative payloads to circumvent filtering, we find this [XSS filter evasion cheat sheet](https://owasp.org/www-community/xss-filter-evasion-cheatsheet).

In the page, we find the following payload:

```
\xxs link\</a\>
```

We are allowed to post this in the box, and when moused over, successfully triggers the XSS dumping the cookies (followed by our flag).

![](https://bigpick.github.io/TodayILearned/img/b01lers_bootcamp2020/xss_flag.png)

Flag is `flag[y0u_sh0uldnt_h4v3_c0m3_b4ck_flynn]`