If you didn’t read it yet, I highly recommend the reading of part I.
Without using parentheses to call functions and brackets to addressing chars in an array, we can only rely on document properties to make the XSS payload work. The first one we will use is tagName. In order to facilitate our visual understanding of what we are getting before the final payload, we will use alert boxes to see our potential location contructions:
Doing so, we will see the string “svg” in the alert box. But what if we change the tag to something more useful to our purposes?
Needing the “:alert(1)” part and knowing that “location.hash” trick, we are tempted to try it adding the 2 strings in order to build our location:
As we can see, there’s a hash in the middle that we can’t get rid of. Or we can?
First we need to move the colon (“:”) to the tagName part (yes, we can):
It seems we have a valid code for location now:
I don’t know what you might be thinking about it right now. But it paves the way to a lot of interesting constructions based only in document properties.
Before moving on, let’s see a common variation of our payload. This will be useful when we explore the next ones:
This time we changed the innerHTML property of the tag (and the hash) to a string that will be “concatenated” to alert(1) to execute it. We used single quotes in this example but double quotes can be used as well, depending of the context. In our test page for example, using that payload with double quotes does not work.
But there’s an easy solution for that:
javascrip + t:’click me! + #’-alert(1)
javas + cript:’click me! + #’-alert(1)
The fun has just begun. In the next posts we will see advanced techniques to build this type of payloads.
P.S.: due to formatting of this blog theme, type the quotes manually instead of just a copy and paste or it will not work.
P.S.2: Part III of this series is here.