7

This is some vulnerable JavaScript code:

$(document).ready(function(){ var payload = unescape(document.location.hash.substr(1)); $(payload); document.body.innerText = "The payload is: " + payload; });

When I tried exploiting it with this input

http://localhost/xss.html#<img src=x onerror=alert(0)>

it worked fine, popping up the alert. My case is slightly different, there's a little filter that prevents the exploit:

$(document).ready(function(){ var payload = unescape(document.location.hash.substr(1)); payload = payload.split('=')[0]; // <------- The new filter $(payload); document.body.innerText = "The payload is: " + payload; });

It truncates everything after the "=" character, which means I can't inject attributes. I already tried the following, but it did not work:

  • HTML encode the equal character (onerror&equal;alert())
  • <script>alert(0);</script>

Anyone have an idea what I can do to bypass this filter?

Improve this question
1
  • Owh, sorry i forgot to mention this - The payload works on Internet Explorer. IE does not have that auto url encoding feature.
    – AlmightyGoat
    CommentedApr 8, 2018 at 18:38

3 Answers 3

Reset to default
1

I think it is safe to say at this point that there is no trivial/text-book bypass for this filter using a modern browser. I shared this snippet of code with a group of friends and colleagues who I consider proficient in XSS and none of them could construct a bypass.

Improve this answer
    -2

    You can try the encoded character equivalent to what you are trying to input. Try using URL encoding on the payload portion of your input to bypass this filter.

    For instance, you can URL encode "=" to %3D or URL encode <img src=x onerror=alert(0)> to %3Cimg+src%3Dx+onerror%3Dalert%280%29%3E

    This will bypass the filter if it is expecting "="

    Alternatively, since it looks like you are running this on your localhost, use a proxy tool such as Burp Suite to intercept your requests/responses, you can play around with different payloads to test your XSS payloads.

    Improve this answer
    1
    • The question contains the code of the filter: it will decode any URL-encoded payload. This bypass, quite useful in other cases, can't work here.
      – Benoit Esnard
      CommentedSep 27, 2018 at 14:08
    -5

    you should encode it. something like this will work:

     eval(String.fromCharCode(/*list of codes of payload*/))

    you need to split payload into the caracters and convert them one-by-one into ints. you can make a script for it.

    also you might want to look at atob and btoa.

    Improve this answer

      You must log in to answer this question.

      Start asking to get answers

      Find the answer to your question by asking.

      Ask question

      Explore related questions

      See similar questions with these tags.