There are many solutions to Erling Ellingsen’s escape.alf.nu XSS challenges and I will be giving the solutions to first few challenges in the set. I suggest not to read the write-up before you attempting it. It can take several days to solve the challenges depending on the amount of knowledge you’ve on the same. It took me several days to complete up till the first three challenges and I’d be posting here on how to tackle them effectively and also the key points to note upon while solving the challenges.
Point to be noted to here is first we have to close the
console.log and then fulfil with the requirement we want.
The key point in the next level is that the
s.replace(/""/g, '//"/'); replaces the
/" for which we simply have to escape the backslash.
Pointed to be noted here is with the function
JSON.stringify(s); which will escape double quotes
/” but then we can see that it doesn’t escape
<> brackets. So what suddenly struck me was to make a script block and then execute
alert(1) in it.
Point to be noted here is that
console.log(url) which make us enable to use URL encoding for double quotes because it’s being escaped here.
Point to be noted here is that
< is being globally replaced by
“ is being replaced once by
" . Then I noticed how it is being replaced and then I split the whole thing up inside the
text.replace() and then arrived at the solution. Moreover the escape function uses a template like
It will be rendered as:
<img src=”a.gif” onload=”alert(1)” alt”““>
There were two points to be noted. One was that in the comment part which made me realize that it had similarity to that of the previous question and even before reading the rest, I tried the previous payload which didn’t work. Later I went through the rest of the code and figured out that it was in an http context.
First I noticed the comment section and figured out how
TextNode#foo would show up and it just showed
foo. Then I started reviewing all the functions in the DOM that begin with
create as it is there in the function. Then I figured out the
createComment from which I tried giving
Comment#foo which showed
<!–<foo>–> from which it made easy for the solution.
Pointed to be noted here was that, first I gave input as there in the comment part and tried to analyse how it being rendered. Then I tried to play with it such that
alert(1) gets executed.
Here, the point to be noted was that, the string which you enter is converted into uppercase. Hence we need to figure a way out to print
alert(1). Why not try JSfuck?
“);<alert(1) in JSfuck>;//
This is the same thing as the previous case and would suggest the same solution that is by using JSFuck.
Here once we try to execute, we can see that etc all are filtered except
‘ \ ‘. So we convert to octal and then give.
What happens here is that it just takes escapes
‘ ” ‘ and not
< brackets and so after that function returns the values, it again gets checked for
“<” and replace it globally with
Point to be noted is that backslashes are also being filtered and want to find a way out to comment it out and that is by
iFrame has got a feature. It is setting the name attribute on an iFrame sets the name of the property in the global window object.
The rest of the solutions will be updated later. Do subscribe and raise questions if anything over here Twitter