XSS : Get string without quote

Sometimes, in JavaScript, we need to create String without using quotes or String.fromCharCode(). Learn how to take advantage from short RegExp notation.

Article published on 2 January 2017

by Georges Michel

Good year 2017 :)

Yesterday I was stuck when I DOM-based XSSed a website which removes quotes, double-quotes, parenthesis and back-tick.
I don’t know if the trick is obvious because I didn’t search, but I found a pretty use of JavaScript RegExp short notation.

I haven’t found yet a solution without using parenthesis or back-tick :-( but I found funny things I am going to show you.

The main idea is to use the implicit cast of a shortened RegExp notation :

[]+/test/g ; // returns "/test/g"

In order to instantiate the string "/test/g".
However, if we want to use it, we need to remove the starting char "/" and ending chars "/g" like this:

([]+/test/g).substr(1,4); // returns "test"

Let’s play :

location=([]+/http:\\google.com/g).substr(1,17); // redirects to http://google.com

Above, note these double back-slash ("\") avoid syntax error and they will be replaced by "//" in the location value.

@FrenchYeti

Also in this section