XSS : Get string without quote
2 January 2017 14:44 1 messages
Good year 2017 :)
Yesterday I was stuck when I DOM-based XSSed a website which removes quotes, double-quotes, parenthesis and back-tick.
I don’t know if the trick is obvious because I didn’t search, but I found a pretty use of JavaScript RegExp short notation.
I haven’t found yet a solution without using parenthesis or back-tick :-( but I found funny things I am going to show you.
The main idea is to use the implicit cast of a shortened RegExp notation :
In order to instantiate the string "/test/g".
However, if we want to use it, we need to remove the starting char "/" and ending chars "/g" like this:
Let’s play :
Above, note these double back-slash ("\\") avoid syntax error and they will be replaced by "//" in the location value.
@FrenchYeti
Also in this section
7 April 2011 – Javascript -Java compatible encryption
23 October 2010 – One time passwords
1 Forum posts
/google.com/.source works as well ;)