Journeys in Quoteless and Multi Reflection XSS

  • Two reflected parameters
  • In a Javascript string context
  • On the same line of code
  • Using HTML entity encoding and not escaping backslash characters
-1}});}; alert(1); {$.ajax({//
B00M! XSS 😎
  1. By adding the \ in id,
  2. we can now break out of what would have been the string context of num with -1 which performs an arithmetic operation on the string.
  3. Next, we close out the data property, the anonymous object, and the function call to $.ajax with the following }});
  4. Then we can close the function context of getCard with a }
  5. Now fully broken out of the restrictive contexts, we can execute XSS: alert(1);
  6. Lastly, syntax errors are cleaned up by rebuilding the context we just broke out of and commenting out the rest {$.ajax({//

--

--

--

Hi! I'm Ben, a Web App Hacker, Bug Bounty Hunter, and Self-Taught Techno Entomologist

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

My favourite Playground — Düsseldorf

Goodbye, Storyboards

How to build apps for Google Assistant with no programming experience

Thinkful’s Engineering Flex Review

GCD, Euclid and Efficient Algorithms

Celo India Fellowship — My Experience and Journal

NGINX based vod packager 소개

How We Built Our Brand New Developer Portal. And Why…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bend Theory

Bend Theory

Hi! I'm Ben, a Web App Hacker, Bug Bounty Hunter, and Self-Taught Techno Entomologist

More from Medium

HackTools-The complete Red Team add-on for Web Pentester

Future of Pentesting: 5 Tips to Improve App Security

Kioptrix: Level 1 [Vulnhub] Walkthrough

MSA Weekly 2 — NGINX (read: Engine X)Installation on Kali Linux Virtual Machine.