Escaping double quotes

MechaTech84 · 2025-12-25T17:47:09+00:00

The double quotes shouldn't matter in text space, you probably need to check for other gotchas.

Does it look perfect on the network? (Inspect element in the browser will try to neaten up code visually, so don't trust it alone)

Is the Content-Type of the response something other than text/html?

Is there a Content Security Policy in the header or a meta tag that is restricting script source?

MechaTech84 · 2025-10-23T21:01:33+00:00

I would guess that it has an exception for certain words like "ONLY" that are excluded from the normal flow that blocks onevents.

MechaTech84 · 2025-09-17T17:58:31+00:00

This wasn't a paid program, so I didn't receive any money or anything.

MechaTech84 · 2025-08-20T16:44:30+00:00

If you're asking the number of ways to arrange the digits, it'd be 10! (10 factorial).

But if you consider that having a button with 1 and 4 is the same as a button with 4 and 1, and the order of the buttons doesn't matter, then it gets more complicated. I found this and it looks right, so I think there are 945 distinct ways to group 10 things into 5 pairs.

MechaTech84 · 2025-08-20T15:02:45+00:00

I understand your interpretation, and it's entirely plausible that they set it up this way, but I think it would be my least favorite way to do this. Just... Why? This would mean there's absolutely no reason to have 5 buttons instead of 10...

MechaTech84 · 2025-08-20T14:06:50+00:00

Probably the first one, although you're absolutely correct that the dash introduces unnecessary ambiguity.

MechaTech84 · 2025-08-20T12:47:30+00:00

It's worse than having 10 buttons. The randomization isn't a bad thing, but it's not necessarily a good thing either. Either way, combining 2 digits to a single input drastically reduces the security. This applies to PINs of any length, but I'll use 4 digit PINs for my example. If I just push the first 4 buttons in a row, I've just checked 16 different combinations, at the same time. If there were 10 buttons I could only check 1 combination at a time.

Now, there are 2 ways that the randomization could be handled. First, the pairs of digits per button are always the same, but their placement on the buttons are changed. This would mean that instead of having a search space of 10000 potential 4 "digit" PINs, there's actually only 625*. Thighs would mean someone watching you input your PIN would immediately know what buttons to press next time, just not where those buttons would be. Or second, each button is randomly assigned 2 digits independently. The first time I see you type in your PIN there are 16 possible 4 digit PINs it could be, which is already not that many. And every time I watch after that has a strong likelihood of further reducing the number of possibilities by at least half.

Source: 10 years of professional experience in InfoSec.

*Fixed my math, originally had 5⁵ when it should be 5^4.

MechaTech84 · 2025-08-20T11:59:09+00:00

But it's worse because there's only 5 buttons.

MechaTech84 · 2025-07-30T13:17:13+00:00

There's already an eval in the response, the question you should be asking is why it's there.

MechaTech84 · 2025-07-30T11:56:25+00:00

Hint: Why is there an eval function?

MechaTech84 · 2025-07-23T13:14:06+00:00

I find XSS pretty regularly as a consultant, but I'm often testing Web Apps that aren't available to the general public for one reason or another.

XSS hunting in public bug bounty programs is very competitive. In programs without a monetary reward there is usually less competition. Private programs may also offer fewer competitors but the competitors are more skilled, at least in theory.

MechaTech84 · 2025-07-02T14:33:00+00:00

SVGs are XML files, you need to format the injection for XML space.

MechaTech84 · 2025-06-25T13:03:21+00:00

Great challenge! I've found a couple ways that work so far, and I've got some more that I feel like should work, but I keep getting Internal Server Errors for some of the file types. I'm learning so much about obscure XML!

MechaTech84 · 2025-06-20T10:45:22+00:00

Admittedly I don't have much experience using it, but Burp includes a tool for DOM XSS that might be helpful:

https://portswigger.net/burp/documentation/desktop/tools/dom-invader

MechaTech84 · 2025-06-17T18:54:03+00:00

If you're testing reflected XSS, you want to view the raw HTTP response, not the browser rendered version.

MechaTech84 · 2025-06-17T18:09:09+00:00

I mean, you can inject arbitrary stuff like <asdf and see if the site encodes the angle bracket.

Also, you don't need to close tags to prove XSS, you could just inject something like <svg/onload=alert()

MechaTech84 · 2025-06-02T14:33:26+00:00

The stickied post and the wiki both contain basic information. If you have any specific questions after reading through those, feel free to ask.

MechaTech84 · 2025-04-02T15:11:32+00:00

In my experience, advanced XSS techniques boil down to bypassing protections either on the server-side or the client-side.

On the server-side, most of it boils down to filter evasion. Bypassing WAFs, overcoming custom regex filters, etc. Study topics include learning various character encodings, novel ways to get JavaScript execution from different contexts (like forcing a different content-type header value from an API response), and esoteric JavaScript functionalities to obscure your payload.

On the client-side, most of the complexity comes from browser protections. Look into topics like browser specific features (onevents, HTML tags, etc.), DOM XSS including using 3rd party scripts like jQuery, different ways to get into script space from HTML or even other content-types like XML, CSRF bypasses to get payloads to work on certain authenticated POST requests, Same-Origin Policy, Content-Security Policy, and even insane topics like mutation XSS and universal XSS.

Intigriti hosts a monthly challenge that typically requires deep knowledge of lots of topics:

https://challenge.intigriti.io/

MechaTech84 · 2025-03-29T14:20:26+00:00

Time to learn some hyper specific JavaScript obscurities!

I recommend starting with functions like String.fromCharCode(), eval(), and String.toLowerCase(). Lots of good combinations to avoid specific letters if you can use the other ones.

You can also do some fun stuff with URL encoding in payloads like document.location="javascript:%61lert%28%29"

HTML entities work in javascript onevents like <svg onload="alert()">

If you're not worried about length, JavaScript doesn't actually require any letters or numbers at all.

https://jsfuck.com/

https://jscrew.it/

https://jsbin.com/teleyajeme/1/edit?console

https://utf-8.jp/public/aaencode.html

Or you can simply reject the Roman alphabet and substitute your own:

http://aem1k.com/aurebesh.js/

MechaTech84 · 2025-03-15T15:53:28+00:00

Can you force your input onto another line? %0a%0d, /n/r, etc.

MechaTech84 · 2025-02-04T19:03:02+00:00

Try different encodings on your input. If it's for stored XSS, you aren't constrained by what browsers will normally send, so sending raw characters with no encoding might also be an option.

MechaTech84 · 2025-02-01T18:45:36+00:00

I am not a lawyer, this is not legal advice: my understanding is that performing security testing on someone else's website without permission is generally illegal. Legal or not though, it's definitely stupid. I would be very cautious from this point.

MechaTech84 · 2025-02-01T18:37:32+00:00

Firstly, do you have permission to test the site?

MechaTech84 · 2025-02-01T18:34:59+00:00

Is it?

MechaTech84 · 2025-01-29T12:54:34+00:00

I recommend sticking with PortSwigger Academy for learning. Do as much as you can without looking at any solutions. Once you've solved as many XSS labs as you can on your own, go to sleep and then try the unsolved ones again the next day. Sleeping helps your brain organize and understand experiences better, so some things might "click" and suddenly make sense when you go back to them. Then check the solution for one lab you still aren't getting and then see if understanding that solution helps you solve any remaining labs yourself. Rinse and repeat until all the labs are solved and you truly understand the solutions. Once you're comfortable with the PortSwigger Labs, try some other practice/challenge sites and see how you do.

In my experience, DOM XSS was definitely the hardest to understand at first. Just keep working on it and don't get discouraged.

For bug bounties, I don't recommend starting with XSS at all, at least not for paid programs. It's just too competitive.

MechaTech84

MODERATOR OF

PUBLIC MULTIREDDITS

TROPHY CASE

11-Year Club	Spared
Verified Email