Cross Site Scripting - Level 05 __ Frozen Flame

Everything Vulnerable
Everything Vulnerable
June 21, 2021

var x = "I am not HTML";

Hello thirsty learners. Till this blog, we were talking about Cross Site Scripting Attack in HTML context. But, now, we will talk about " JavaScript " context. That's why I named this blog, " I am not HTML ". So, let's start hacking..

I was going through a website. And, I found something interesting there. What I was writing my payload, it was reflecting but, inside the <script>...</script> tag. If we use the HTML context and, give the html vectors like, svg, img etc, the XSS won't trigger at all. In this case, we have to think like, JavaScript.

Exploitation ::

When I gave input to a particular param, it was reflecting in the source code. But, in the script tags. So, I tried to close the </script> tag. But , the payload was getting filtered. It was looking like this,

Well, that means, we can't close the tags. So, we have to think different here.


Well, I tried if I could give any special characters or not. Like, " ; ( ) or something like these stuffs. Yes. I was able to perform so. 


Yea. I think, we can manipulate this to make an successful XSS attack. For this, we need to know some basic of JavaScript. That is, every JavaScript lines ends with a semicolon ( ; ) . So, as per rule, we have to close this with the help of this,

";

And, after that, we have to write our payload. like this,


But, it won't pop-up. Case, we have closed the 1st logic. But, still the 2nd logic is open. So, we have to close that one also in the same manner.


If you have done like this, this one is for you,


Same Scenario ::

Here are some same scenario which you may face during the exploitation of a vulnerable web application.

Scenario 1 ::

If your payload in inside ( ' ) like this ,

Then, use this payload , ';alert(1);'

Scenario 2 ::

If the semicolon ( ; ) gets filtered by the web application or the filter, use like these methods ::

'-alert(1)-'

'+alert(1)+'



Scenario 3 ::

If you want to don't want to make the rest of the query balanced, try these payload ::

';alert(1);//
';alert(1);<!--
";alert(1);//
";alert(1);<!--



This will comment out the rest of the JavaScript code. And, it will not run in the web app. I hope this will help you in bug bounty. So, in another tutorial. Till then,
Happy Hacking. 💥
Everything Vulnerable