Javascript

Character restrictions

Only ()+[]! Only +[]{}!$` No parentheses Cool encoder

If your injected code is HTML-escaped, you can use backticks ` to get strings through. Just be aware that these strings are templates, and will be interpolated.

Unicode shenanigans

Of course

Leaks

A function's .toString() renders its full source code, including comments!

function a() {
    /* Top sneaky: flag{1234} */
}
console.log(a.toString());

Exfiltration

Change the DOM inside an iframe

Technique

The host page isn't supposed to communicate with other domains. If you spawn an iframe and change some DOM in the host, it will be inherited in the guest. Oops.

PreviousWeb NextPHP

Last updated 3 years ago