The sentence below which we saw when visit challenge URL gives hint of XSS attack (Capital X[GiXe] and S[Some])
- GiXe me Some intresting Input
And the challenge name Choosy suggest that not all payloads will work, only specific payload will work so we need to try different payloads untill it works.
- If we use <script>alert(1)</script> it strips of script
- If we try image payload it works
Payload :-
Hints with point values :-
- Hint 1 :- imgage payloads are very well than script tag payloads.