3

As a pentester I came across this scenario:

<script type="text/javascript">

 URL = 'http://example.com?x=input';

I am able to insert a new line with %A0, spaces and almost anything except '. The problem is that I need that ' before making a new line so the JS doesn't break.

I am able to leave it like this:

<script type="text/javascript">

 URL = 'http://example.com?x=input;
 prompt`9`
 anything';

After the input and before the ; I need to insert a ' or it won't work... Is there any workaround/bypass on this? I am able to inset / too.

Anders
  • 64,406
  • 24
  • 178
  • 215
Mr. ToxicMan
  • 115
  • 1
  • 8
  • Have you tried using web encoded characters like %27 for ' or sending as binary? – TinCan Nov 02 '19 at 07:36
  • yes i have tried using %27 and double encoding, however i didn't try binary... i never thought that encoding would work in this scenario – Mr. ToxicMan Nov 04 '19 at 04:38

1 Answers1

4

That's not XSSable.

(I'm assuming in your scenario angle brackets are blacklisted too. Otherwise, you could obviously close the script tag with </script> and inject a separate script that doesn't use single quotes.)

In JS/ES syntax, a string literal that starts with a single quote needs to be ended with a single quote. Since you can't inject one yourself, you may at most cause a syntax error by introducing unescaped line breaks or escaping the closing single quote with a \. An attacker could use that to prevent execution of the current script which may eventually be chained with other bugs to something more severe. But it's not XSS-exploitable by itself.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • 1
    Yes they are! thanks for letting me know. learning where the dead ends are is useful for future websites i test. thank you. – Mr. ToxicMan Nov 01 '19 at 15:39
  • However, it is still exploitable (not as XSS) because you literally break JS code by making a new line. In the case previously explained i just broke an entire functionality of the website. – Mr. ToxicMan Nov 04 '19 at 04:41
  • @Mr.ToxicMan Sure, *"you may at most cause a syntax error"*. This *may* be helpful in some attack scenarios, but it's certainly not XSS-exploitable. – Arminius Nov 04 '19 at 08:02