Puzzle 2 on kcal.pw
cure53 edited this page Sep 17, 2014
·
1 revision
Pages 22
- Home
- Cure53 Easter Challenge '13
- Cure53 Singapore Training Challenge
- Cure53 X Mas Challenge '13
- ES6 Challenge
- H5SC Mini Challenge 4
- H5SC Mini Challenge 5
- H5SC Minichallenge 3: "Sh*t, it's CSP!"
- H5SC Minichallenge 3: "Sh*t, it's CSP!".
- JSON Hijacking Mini Challenge
- Mini Puzzle 1 on kcal.pw
- Mini Puzzle 2 on kcal.pw
- Older Challenges and Write Ups
- prompt.ml
- Puzzle 1 on kcal.pw
- Puzzle 2 on kcal.pw
- Puzzle 3 on kcal.pw
- S03 XSS Puzzle
- Shibuya.XSS JIZEN GAKUSHU Challenge
- Shibuya.XSS JIZEN GAKUSHU Challenge 2
- XSSMas Challenge 2014
- XSSMas Challenge 2015
- Show 7 more pages…
XSS Challenge Wiki
Prompt.ml
- Prompt.ml The prompt(1) Challenge
Kcal.pw Puzzles
Cure53 Challenges
H5SC Mini-Challenges
Other Challenges
Clone this wiki locally
kcal.pw Puzzle 2
XSS Puzzle published by @filedescriptor in August 2014: http://kcal.pw/puzzle2.php
Code
<meta charset="utf-8">
<p>alert(1) in this origin</p>
<p><a href="?xss=XSS">give it a try</a></p>
<script>
if (0) {
<?php echo preg_replace('/}[\w\W]*{|</', '_', $_GET['xss']); ?>
}
</script>
<!--
<?php readfile(__FILE__); ?>Solution
The solution is based on abusing an ES3 feature that never made it into the standard but got prematurely implemented in MSIE: The colon-colon operator.
function self::onload(){alert(1)}What happens here is the following: MSIE allows to bind events to elements using the colon-colon operator. This code construct bypasses the strict filter regex the challenge is using and thereby introduces event handling inside the if(0) block. A load-event is being used on self, having the same effect as a window.onload.