Location Based Payloads – Part IV

To end this series (part I, part II and part III), all the document properties that can be used.

Document Properties Scheme

location.protocol

protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3

location.hostname

protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3

location.pathname

protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3

location.search

protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3

previousSibling.nodeValue, document.body.textContent*

protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3

tagName, nodeName

protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3

outerHTML

protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3

innerHTML**, textContent**, nextSibling.nodeValue**, firstChild.nodeValue**, lastChild.nodeValue**

protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3

location.hash

protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3

URL, documentURI

protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3

—– x —–

To make it easy to replace one property by another in case of blacklist or something, here we have them grouped  by position:

Before

previousSibling.nodeValue, document.body.textContent*

Itself

location.search, tagName, nodeName, outerHTML

After**

textContent, nextSibling.nodeValue, firstChild.nodeValue, lastChild.nodeValue, innerHTML

Hash

location.hash

* comes with source content (body)
** may need to close the injected tag

So when building a location based payload using document properties to avoid filtered chars and/or in filtered sequences (like after on*=), this may help to choose the right ones for the injection.

#hack2learn

2 thoughts on “Location Based Payloads – Part IV

Leave a Reply