Eval a url

You might have seen a blog post or came to the conclusion that urls are in fact valid JavaScript such as:


http://thespanner.co.uk
(label) (comment)

That’s weird and cool but how do we execute JavaScript from the url? Something like:

http://thespanner.co.uk\nalert(1)
(label) (comment) (newLine) (functionCall)

Trouble is the new line isn’t allowed inside the browser url bar or is it? ES5 introduced in the standard that line separators and paragraph separators would act as traditional new lines in JavaScript and separate new statements. Thankfully our friend IE allows us to do this directly in the url. Using these characters allows you to create an eval’able url.

test line sep
test para sep

So now we don’t need to do eval(location.hash.slice(1)) we can simply do eval(location) :) I found this while discussing with Mario and Yosuke Hasegawa on what the shortest HTML based XSS injection was. Using this technique it’s probably 21 (without using netscape 4).


<svg onload=eval(URL)

You of course must pass your JavaScript as a non-existent query param such as:

&&#x2028;alert(1)

Update…

As Stefano Di Paola points out, using hash will allow you to use this technique on Chrome and Opera.

2 Responses to “Eval a url”

  1. Stefano writes:

    very nice Gareth!

    About the update:
    according to:
    http://code.google.com/p/domxsswiki/wiki/LocationSources
    chrome, opera and IE URL object sees unencoded chars > 127 when in the hash part so the new vector:

    location.href=”http://challenge.hackvertor.co.uk/?challenge=1&input=<svg%20onload=eval(URL)#&\u2029alert('I win!')";

    will work on IE, Chrome and Opera.

  2. Gareth Heyes writes:

    Very nice :) shame about Firefox hmmm can we make it work there too