Expert

Reflected XSS with AngularJS expression escape and CSP

The first step of the payload is to set the location property which is a built-in JavaScript object that represents the URL of the current page, and setting it to a new URL is constructed using a template string that includes the following components...

Reflected XSS with AngularJS Sandbox Escape without Strings

View the page source and observe that your canary is between the angularJS script. Remember that you are dealing with angularJS sandbox, that means regular attack vectors are not going to work. For being able to deliver a successfull XSS attack you have to bypass the angularJS sandbox.

Reflected XSS with Event Handlers and href Attributes Blocked

First we need to search for a valid HTML tag.I assume you know how to do that process(you should have been solved previous labs before than that) but if you are not comfortable about how to do it, you can visit this link.

Reflected XSS in a JavaScript URL with some characters blocked

However, you cannot use these alternative payloads in this situation because you are not allowed to use white spaces and some characters are literally banned. That s why, in order to filling the white spaces you need to use multi-line comment feature(/***/). It is possible use /***/ statement for both opening and closing a comment line on the same line.