Xss

Eventless

by YesWeHack

drag_indicator

info

drag_indicator

inputs

drag_indicator

inspect

Another way

This time both "script" and JavaScript events are blacklisted. But there is still another way to trigger JS execution.

Goal: alert(flag)

Hints

Hint #1

expand_more

Iframes are a powerful tool in XSS exploitation, try to look at all you can do with them: iframe on mdn

Hint #2

expand_more

You cannot use javascript: pseudo url because of the filter, and if you use data: url, then the JS execution will be on a different domain.

But there is more than the src attribute you can exploit

Hint #3

expand_more

srcdoc attribute allow you to pass the HTML document as an attribute. On top of that the iframe will be considered as same-site.

The attribute is still going through sanitation, but you can try to use different encoding to bypass the filters.

Solution

Read the solution

expand_more

By using srcdoc and HTML encoding, you can bypass the filters and trigger the alert. In the solution the 's' in script are replace by the htmlencoded version s. Since we are in a frame, we need to access the name of the parent frame.

$name = <iframe srcdoc='<script>alert(flag)</script>'>

drag_indicator

waf

INPUT

OUTPUT

drag_indicator

code

drag_indicator

result