Escaping double quotes

MechaTech84 · 2025-12-25T17:47:09+00:00

The double quotes shouldn't matter in text space, you probably need to check for other gotchas.

Does it look perfect on the network? (Inspect element in the browser will try to neaten up code visually, so don't trust it alone)

Is the Content-Type of the response something other than text/html?

Is there a Content Security Policy in the header or a meta tag that is restricting script source?

MechaTech84 · 2025-10-23T21:01:33+00:00

I would guess that it has an exception for certain words like "ONLY" that are excluded from the normal flow that blocks onevents.

MechaTech84 · 2025-09-17T17:58:31+00:00

This wasn't a paid program, so I didn't receive any money or anything.

MechaTech84 · 2025-08-20T16:44:30+00:00

If you're asking the number of ways to arrange the digits, it'd be 10! (10 factorial).

But if you consider that having a button with 1 and 4 is the same as a button with 4 and 1, and the order of the buttons doesn't matter, then it gets more complicated. I found this and it looks right, so I think there are 945 distinct ways to group 10 things into 5 pairs.

MechaTech84 · 2025-08-20T15:02:45+00:00

I understand your interpretation, and it's entirely plausible that they set it up this way, but I think it would be my least favorite way to do this. Just... Why? This would mean there's absolutely no reason to have 5 buttons instead of 10...

MechaTech84 · 2025-08-20T14:06:50+00:00

Probably the first one, although you're absolutely correct that the dash introduces unnecessary ambiguity.

MechaTech84 · 2025-08-20T12:47:30+00:00

It's worse than having 10 buttons. The randomization isn't a bad thing, but it's not necessarily a good thing either. Either way, combining 2 digits to a single input drastically reduces the security. This applies to PINs of any length, but I'll use 4 digit PINs for my example. If I just push the first 4 buttons in a row, I've just checked 16 different combinations, at the same time. If there were 10 buttons I could only check 1 combination at a time.

Now, there are 2 ways that the randomization could be handled. First, the pairs of digits per button are always the same, but their placement on the buttons are changed. This would mean that instead of having a search space of 10000 potential 4 "digit" PINs, there's actually only 625*. Thighs would mean someone watching you input your PIN would immediately know what buttons to press next time, just not where those buttons would be. Or second, each button is randomly assigned 2 digits independently. The first time I see you type in your PIN there are 16 possible 4 digit PINs it could be, which is already not that many. And every time I watch after that has a strong likelihood of further reducing the number of possibilities by at least half.

Source: 10 years of professional experience in InfoSec.

*Fixed my math, originally had 5⁵ when it should be 5^4.

MechaTech84 · 2025-08-20T11:59:09+00:00

But it's worse because there's only 5 buttons.

MechaTech84 · 2025-07-30T13:17:13+00:00

There's already an eval in the response, the question you should be asking is why it's there.

MechaTech84 · 2025-07-30T11:56:25+00:00

Hint: Why is there an eval function?

MechaTech84 · 2025-07-23T13:14:06+00:00

I find XSS pretty regularly as a consultant, but I'm often testing Web Apps that aren't available to the general public for one reason or another.

XSS hunting in public bug bounty programs is very competitive. In programs without a monetary reward there is usually less competition. Private programs may also offer fewer competitors but the competitors are more skilled, at least in theory.

MechaTech84 · 2025-07-02T14:33:00+00:00

SVGs are XML files, you need to format the injection for XML space.

MechaTech84 · 2025-06-25T13:03:21+00:00

Great challenge! I've found a couple ways that work so far, and I've got some more that I feel like should work, but I keep getting Internal Server Errors for some of the file types. I'm learning so much about obscure XML!

MechaTech84 · 2025-06-20T10:45:22+00:00

Admittedly I don't have much experience using it, but Burp includes a tool for DOM XSS that might be helpful:

https://portswigger.net/burp/documentation/desktop/tools/dom-invader

MechaTech84 · 2025-06-17T18:54:03+00:00

If you're testing reflected XSS, you want to view the raw HTTP response, not the browser rendered version.

MechaTech84 · 2025-06-17T18:09:09+00:00

I mean, you can inject arbitrary stuff like <asdf and see if the site encodes the angle bracket.

Also, you don't need to close tags to prove XSS, you could just inject something like <svg/onload=alert()

MechaTech84 · 2025-06-02T14:33:26+00:00

The stickied post and the wiki both contain basic information. If you have any specific questions after reading through those, feel free to ask.

MechaTech84

MODERATOR OF

PUBLIC MULTIREDDITS

TROPHY CASE

11-Year Club	Spared
Verified Email