Recently I tried to solve Detectify XSS challenge - Twins of Ten.
Idea is simple. Put XSS inside:
Task also contain PHP code that genarate vulnerable code.
In order to solve this we will use few things:
0A - new line
// - single line comment
/* */ - multiline comment
Knowing that we can start creating an exploit, which will have 3 parts:
%0A payload_2 /*
*/ payload_3 //
First is used to open
<script> tag. When we pass
&a=<script>// it will be displayed as:
So we have our
Then we need to create new line because everything after
// is treated like comment. So we use second part:
Right now we declare variable c (
var c) and start multiline comment (
It will be great if we could close comment and add more code. We use third part:
Here we close comment (
*/), set value of variable (
c='a';) and start a new single line comment (
Sounds familiar? Yeah, we had this situation before (we need to create new line again).
Now let’s create a string (for example
alert(1);) and use
eval() function to execute it.
we can use
%2B which is encoded as
It’s time to finish the exploit. In order to fit
eval(c) into 6 characters limit we need to use:
</script> we have 10 characters because we don’t need
Proof of Concept:
which will be displayed as
If you want to generate your own payload use:
Ps. For different solution click here.
- 08-07-2015: Send solution to Detectify