Another XSS auditor bypass

This bug is similar to the last one I posted but executes in a different context. It requires an existing script after the injection because we use it to close the injected script. It’s a shame chrome doesn’t support self closing scripts in HTML or within a SVG element because I’m pretty sure I could bypass it without using an existing script. Anyway the injection uses a data url with a script. In order to bypass the filter we need to concat the string with the quote from the attribute or use html entities such as //. The HTML parser doesn’t care how much junk is between the opening and closing script since we are using a src attribute.


http://challenge.hackvertor.co.uk/script3.php?x=%22%3E%3Cscript/src=data:,alert(1)%26sol;%26sol;


http://challenge.hackvertor.co.uk/script3.php?x=%22%3E%3Cscript/src=data:,alert(1)%2b%22



你可能感兴趣的:(Another XSS auditor bypass)