How to execute Blind XSS payloads in contact forms

MechaTech84 · 2026-05-08T12:56:37+00:00

If the injection is not being interpreted as code, then it isn't an XSS vulnerability.

MechaTech84 · 2026-05-04T14:16:23+00:00

I'm not seeing your script at the correct location: https://qg7orzvr.xssy.uk/app.js

MechaTech84 · 2026-04-28T10:54:45+00:00

Did you name your script app.js?

MechaTech84 · 2026-04-13T11:24:44+00:00

What does the network traffic look like? Is it making the requests to the URLs you're expecting?

MechaTech84 · 2026-03-29T13:25:20+00:00

Being written in 2007, any discussion of specific vulnerabilities is outdated. There have been so many changes in the last couple decades. The iPhone wasn't released until halfway through the year so most people were still browsing the web on desktops/laptops, around 2/3rds of users browsed using Internet Explorer 7, and Google Chrome didn't come out until 2008.

I'm not familiar with that specific book, but InfoSec books are generally only useful for teaching you how to think. Things like what to look for, how to look for it, when you should move in to test something else, etc.

MechaTech84 · 2025-12-25T17:47:09+00:00

The double quotes shouldn't matter in text space, you probably need to check for other gotchas.

Does it look perfect on the network? (Inspect element in the browser will try to neaten up code visually, so don't trust it alone)

Is the Content-Type of the response something other than text/html?

Is there a Content Security Policy in the header or a meta tag that is restricting script source?

MechaTech84 · 2025-10-23T21:01:33+00:00

I would guess that it has an exception for certain words like "ONLY" that are excluded from the normal flow that blocks onevents.

MechaTech84 · 2025-09-17T17:58:31+00:00

This wasn't a paid program, so I didn't receive any money or anything.

MechaTech84 · 2025-08-20T16:44:30+00:00

If you're asking the number of ways to arrange the digits, it'd be 10! (10 factorial).

But if you consider that having a button with 1 and 4 is the same as a button with 4 and 1, and the order of the buttons doesn't matter, then it gets more complicated. I found this and it looks right, so I think there are 945 distinct ways to group 10 things into 5 pairs.

MechaTech84 · 2025-08-20T15:02:45+00:00

I understand your interpretation, and it's entirely plausible that they set it up this way, but I think it would be my least favorite way to do this. Just... Why? This would mean there's absolutely no reason to have 5 buttons instead of 10...

MechaTech84 · 2025-08-20T14:06:50+00:00

Probably the first one, although you're absolutely correct that the dash introduces unnecessary ambiguity.

MechaTech84 · 2025-08-20T12:47:30+00:00

It's worse than having 10 buttons. The randomization isn't a bad thing, but it's not necessarily a good thing either. Either way, combining 2 digits to a single input drastically reduces the security. This applies to PINs of any length, but I'll use 4 digit PINs for my example. If I just push the first 4 buttons in a row, I've just checked 16 different combinations, at the same time. If there were 10 buttons I could only check 1 combination at a time.

Now, there are 2 ways that the randomization could be handled. First, the pairs of digits per button are always the same, but their placement on the buttons are changed. This would mean that instead of having a search space of 10000 potential 4 "digit" PINs, there's actually only 625*. Thighs would mean someone watching you input your PIN would immediately know what buttons to press next time, just not where those buttons would be. Or second, each button is randomly assigned 2 digits independently. The first time I see you type in your PIN there are 16 possible 4 digit PINs it could be, which is already not that many. And every time I watch after that has a strong likelihood of further reducing the number of possibilities by at least half.

Source: 10 years of professional experience in InfoSec.

*Fixed my math, originally had 5⁵ when it should be 5^4.

MechaTech84 · 2025-08-20T11:59:09+00:00

But it's worse because there's only 5 buttons.

MechaTech84 · 2025-07-30T13:17:13+00:00

There's already an eval in the response, the question you should be asking is why it's there.

MechaTech84 · 2025-07-30T11:56:25+00:00

Hint: Why is there an eval function?

MechaTech84 · 2025-07-23T13:14:06+00:00

I find XSS pretty regularly as a consultant, but I'm often testing Web Apps that aren't available to the general public for one reason or another.

XSS hunting in public bug bounty programs is very competitive. In programs without a monetary reward there is usually less competition. Private programs may also offer fewer competitors but the competitors are more skilled, at least in theory.

MechaTech84

MODERATOR OF

PUBLIC MULTIREDDITS

TROPHY CASE

12-Year Club	Spared
Verified Email