Challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic unless clearly specified in the challenge information below.
I couldn't use the traditional methods of stopping XSS because of the way my application works. Because of this i've had to create a "strict" filter to stop malicious attackers and help protect my users. I'm 100% sure you can't beat this filter! Try find the vulnerable parameter(s) and then see if you can beat it/them. :)
Finished the challenge? Submit your answer
Most of you got this but actually only a handful reported both vulnerable parameters. So firstly, the ?uname= parameter is vulnerable to XSS but if you view the source you'll see: Error: You can't supply a password via GET.
Changing the request to POST causes the "psw" parameter to also be vulnerable. The idea behind this challenge is to train you to try all request types (GET,POST etc) to see what it's doing.
Both ?uname and psw parameters are vulnerable to basic XSS.