RHAinfoSec XSS Challenge - 2

Update: The results are announced here.

Welcome readers,

After a tremendous response with our first XSS challenge, we decided to make your lives a bit harder this summer by launching another XSS challenge. Like always, our challenges always challenging and based upon real world scenarios and the key to solving it mostly rely upon the ability to think outside the box.  

The challenge is based upon a a strong blacklist based protection, beware that the challenge may be very hard for you unless you don't understand the right injection context.   

Challenge Rules/Goals

• The challenge goal is to execute alert(1) inside the browser.
• Your payload must render javascript inside modern browsers. 
• The XSS protection header has been set to 0, which would turn off your client side XSS filter. 

Challenge Link

Special thanks to Mr Prakhar Prasad, for deploying the challenge. Alex Infuhr for beta testing and ideas with the challenge.  

• https://challenges.prakharprasad.com/xss/2

Hints/Tips

• If all you can do is "><img src=x onerror=prompt(1);>, then our humble apologies this challenge is not for you. 
• The WAF can be very hard, if you don't know how to properly reverse engineer filter rules. 
• You could refer to my "XSS Filter evasion Cheat sheet" for ideas on cracking this challenge.
• Automated scanners won't help here as often time they fail at producing context based payloads. 

Submissions

Sumbit your vector to rafayhackingarticles@gmail.com or prakhar@prakharprasad.com, or you could DM on my twitter @rafaybaloch, once you have cracked this challenge.