An XSS Story
Last night I stumbled across an XSS in a bug bounty program, this was quite fun to exploit. A little bit of context, the URL was as follows:
Let’s try with my favorite test payload
AAAA"<i>'BBBB(1) and see how the characters are escaped.
The tag was stripped but the double quote isn’t escaped. We can say goodbye to the infamous
In JS if we have a string we can try to add a function and it will be executed, a simple alert(1) should do the work. Our payload is now
Damn, it seems that our parenthesis were removed, let’s try with an alternative way to trigger an alert using the backticks :
AAAA"+alert\1`+”BBBB`, this trick works on Firefox and Chrome/Opera in their latest version.
Yay our alert(1) popped :D, let’s now imagine more protections, only to do some JS magic.
We can try to
alert() using the backticks and some escape characters.
What if eval and alert are banned keywords ?
We can still use the
New Function !
That’s all folks !