This lab is hosted on XSSy.
Visit the lab page to submit your payload.

Restricted Upload

I believe this lab is non-exploitable, but I am interested to see if someone can find a way. The objective is to call alert(document.cookie) and have the flag cookie appear.

The lab accepts file uploads, but blocks extensions known to be dangerous. Specifically:

• The blocked extensions are: .html, .htm, .xhtml, .xht, .xml, .svg and .svgz.
• The restriction is enforced server-side and intended to be immune to bypasses, such as content-type tweaking, case tweaking, and null byte injection.
• No processing is performed on uploaded files; they are just made available for download.
• The content-type of downloads is based on their extension, using standard MIME mappings.
• Unknown extensions have the MIME type application/octet-stream.
• PDFs are allowed but PDF JS executes in an isolated context that is not useful for XSS.

Of course, security best practice is to use an allow list, not a deny list, serve user uploads from a separate domain, etc. This lab is about refining offensive techniques, not showcasing defensive best practice.