.png)
3 years ago
247 BOOK THIS SPACE FOR AD
ARTICLE ADSince we know how we can perform XSS in this scenario, let’s get back to BruteLogic’s payload:
`/alert?.(1)’”><Svg/OnLoad=’`
So what’s this payload about?
If you use it in-place of the other payloads, in the `p` parameter, you would notice what it really does:
URL (with payload): https://brutelogic.com.br/multi/double-html.php?p=%60/alert?.(1)%27%22%3E%3CSvg/OnLoad=%27%60
As you can see in the page source, the attribute context was escaped (using a double quote `”`)
Then an SVG element is introduced to the DOM. It contains an onload event handler.
I modified the payload a bit and added id=x to the SVG element just so that I can see all of its attributes.
Now let’s head over to the console (press CTRL+SHIFT+I):
We can notice that the SVG element has 3 attributes: id, onload and an attribute named “ (a double quote).
The onload attribute is the one where the XSS magic happens. Let’s get into it for understanding how it works!
The payload is simple in the sense that all it does is — when an SVG loads, when run this javascript code which is present in the onload event handler.
And that string might be looking weird, but it’s very simple. Allow me to explain :)
“`\”>link one</a>\n<div name=\”div\”></div>\n<a href=\”`/alert?.(1)”
Let’s try to run it in the console first. And if you do, you would notice an alert pop up!
So what does it do?
All it does is divides the value of the first template string with the alert(1).
And in order to compute the result of the division, both — numerator and denominator have to be computed right. And that’s why when alert(1) is computed, alert shows up! Nothing fancy there…
You could have used ‘-’ (subtraction) and that would have worked equally well!
Payload using subtraction:
`\”>link one</a>\n<div name=\”div\”></div>\n<a href=\”`-alert?.(1)
Awesome, I get it all now! But what is this ?. thingy?!
Brilliant question :)
?. is the Optional Chaining operator in Javascript.
Let’s say you want to reference some property bar within an object foo:
So you would do the following right — foo.bar
But if foo doesn’t exists you will get an exception right!
But when you use the optional chaining operator (?.), you won’t get an exception, but undefined instead :)
Sweet right!
So now you don’t have to decorate your JS code with ugly if-else statements and can get away with using the ?. operator!
Great! Back to the payload now…
alert?.(1234) is just a fancy way of writing alert(1234)
And this can be helpful if for instance alert is not available in a sandbox for instance, in those cases you can try to write your payload using this operator so that there are no exceptions (because exceptions might get reported back to the developers ;).
Bengali (Bangladesh) · 
English (United States) ·