Try all other injection operators to see if any of them is not blacklisted. Which of (new-line, &, |) is not blacklisted by the web application

how should answer be written

This threw me off too.
First to get the result you want in burp, only append the non url-encoded or url-encoded injectable character, without spaces or anything, in repeater.
Once you find out which character it is, try every possible operator and character names of it within the cheat sheet to submit as the answer.

How are you supposed to write the answer. I tried both encoded and non encoded.

i try all the operators and find 7 answers but none of them will accept as an answer could antone help me?
;
%3b
\n
%0a
&
%26
|
%7c
&&
%26%26
||
%7c%7c
``
%60%60
$()
%24%28%29
0x0a
Newline
`

Ya, its really annoying. Let e know if you figure it out.

I found it.

what is it?

This is an incorrect checking of answer. 2 hours out of my life. Correct answer is “New-Line” UpperCase with “-” delimiter…

1 Like

This question wanted us to use the URL-encoded character which was not highlighted in the question. For me the “&” worked which made things annoying.

3 Likes

For me $() and " ``" worked. But the answer was not accepting it. Finally, I inserted “New-Line” which was accepted as an answer… Don’t know how is this an answer, as “\n” does not work even when url-encoded.