New XSS without quotes ive found – Digitalmunition




Home Forums New XSS without quotes ive found

This topic contains 1 reply, has 2 voices, and was last updated by  PapyrusGod 2 months ago.

  • Author
    Posts
  • #230613

    anonymous
    Participant

    Theres websites that automatically escape any kind of quote so you cant do much more than alert(1). In the past theres been the methode of using regex like this: /stringToGet/.source but some site will escape more characters, so that sometimes wont work. I’ve found a way to get around that by putting together strings we can get easily. Example:

    abc=[];for(i=10;i<36;i-=-1){abc.push((i).toString(36))}empty=abc[0].repeat();alert([abc[23],abc[18],abc[18]].join(empty))

    For other characters you can often use the url, for example when you need https:// you can go location.protocol

    Edit: other people found something similar: https://news.ycombinator.com/item?id=4365868

  • #230614

    PapyrusGod

    How is this new or unique?

  • #230615

    SpencerTheSmallPerso

    Really hit the -=-1 lol

  • #230616

    TheChuMaster

    Since you only have one line in the for loop, you might be able to get rid of the curly braces too

You must be logged in to reply to this topic.