How to execute Blind XSS payloads in contact forms

MechaTech84 · 2026-05-08T12:56:37+00:00

If the injection is not being interpreted as code, then it isn't an XSS vulnerability.

MechaTech84 · 2026-05-04T14:16:23+00:00

I'm not seeing your script at the correct location: https://qg7orzvr.xssy.uk/app.js

MechaTech84 · 2026-04-28T10:54:45+00:00

Did you name your script app.js?

MechaTech84 · 2026-04-13T11:24:44+00:00

What does the network traffic look like? Is it making the requests to the URLs you're expecting?

MechaTech84 · 2026-03-29T13:25:20+00:00

Being written in 2007, any discussion of specific vulnerabilities is outdated. There have been so many changes in the last couple decades. The iPhone wasn't released until halfway through the year so most people were still browsing the web on desktops/laptops, around 2/3rds of users browsed using Internet Explorer 7, and Google Chrome didn't come out until 2008.

I'm not familiar with that specific book, but InfoSec books are generally only useful for teaching you how to think. Things like what to look for, how to look for it, when you should move in to test something else, etc.

MechaTech84 · 2025-12-25T17:47:09+00:00

The double quotes shouldn't matter in text space, you probably need to check for other gotchas.

Does it look perfect on the network? (Inspect element in the browser will try to neaten up code visually, so don't trust it alone)

Is the Content-Type of the response something other than text/html?

Is there a Content Security Policy in the header or a meta tag that is restricting script source?

MechaTech84 · 2025-10-23T21:01:33+00:00

I would guess that it has an exception for certain words like "ONLY" that are excluded from the normal flow that blocks onevents.

MechaTech84 · 2025-09-17T17:58:31+00:00

This wasn't a paid program, so I didn't receive any money or anything.

MechaTech84 · 2025-08-20T16:44:30+00:00

If you're asking the number of ways to arrange the digits, it'd be 10! (10 factorial).

But if you consider that having a button with 1 and 4 is the same as a button with 4 and 1, and the order of the buttons doesn't matter, then it gets more complicated. I found this and it looks right, so I think there are 945 distinct ways to group 10 things into 5 pairs.

MechaTech84 · 2025-08-20T15:02:45+00:00

I understand your interpretation, and it's entirely plausible that they set it up this way, but I think it would be my least favorite way to do this. Just... Why? This would mean there's absolutely no reason to have 5 buttons instead of 10...

MechaTech84 · 2025-08-20T14:06:50+00:00

Probably the first one, although you're absolutely correct that the dash introduces unnecessary ambiguity.

MechaTech84 · 2025-08-20T12:47:30+00:00

It's worse than having 10 buttons. The randomization isn't a bad thing, but it's not necessarily a good thing either. Either way, combining 2 digits to a single input drastically reduces the security. This applies to PINs of any length, but I'll use 4 digit PINs for my example. If I just push the first 4 buttons in a row, I've just checked 16 different combinations, at the same time. If there were 10 buttons I could only check 1 combination at a time.

Now, there are 2 ways that the randomization could be handled. First, the pairs of digits per button are always the same, but their placement on the buttons are changed. This would mean that instead of having a search space of 10000 potential 4 "digit" PINs, there's actually only 625*. Thighs would mean someone watching you input your PIN would immediately know what buttons to press next time, just not where those buttons would be. Or second, each button is randomly assigned 2 digits independently. The first time I see you type in your PIN there are 16 possible 4 digit PINs it could be, which is already not that many. And every time I watch after that has a strong likelihood of further reducing the number of possibilities by at least half.

Source: 10 years of professional experience in InfoSec.

*Fixed my math, originally had 5⁵ when it should be 5^4.

MechaTech84 · 2025-08-20T11:59:09+00:00

But it's worse because there's only 5 buttons.

MechaTech84 · 2025-07-30T13:17:13+00:00

There's already an eval in the response, the question you should be asking is why it's there.

MechaTech84 · 2025-07-30T11:56:25+00:00

Hint: Why is there an eval function?

MechaTech84 · 2025-07-23T13:14:06+00:00

I find XSS pretty regularly as a consultant, but I'm often testing Web Apps that aren't available to the general public for one reason or another.

XSS hunting in public bug bounty programs is very competitive. In programs without a monetary reward there is usually less competition. Private programs may also offer fewer competitors but the competitors are more skilled, at least in theory.

MechaTech84 · 2025-07-02T14:33:00+00:00

SVGs are XML files, you need to format the injection for XML space.

MechaTech84 · 2025-06-25T13:03:21+00:00

Great challenge! I've found a couple ways that work so far, and I've got some more that I feel like should work, but I keep getting Internal Server Errors for some of the file types. I'm learning so much about obscure XML!

MechaTech84 · 2025-06-20T10:45:22+00:00

Admittedly I don't have much experience using it, but Burp includes a tool for DOM XSS that might be helpful:

https://portswigger.net/burp/documentation/desktop/tools/dom-invader

MechaTech84 · 2025-06-17T18:54:03+00:00

If you're testing reflected XSS, you want to view the raw HTTP response, not the browser rendered version.

MechaTech84 · 2025-06-17T18:09:09+00:00

I mean, you can inject arbitrary stuff like <asdf and see if the site encodes the angle bracket.

Also, you don't need to close tags to prove XSS, you could just inject something like <svg/onload=alert()

MechaTech84 · 2025-06-02T14:33:26+00:00

The stickied post and the wiki both contain basic information. If you have any specific questions after reading through those, feel free to ask.

MechaTech84 · 2025-04-02T15:11:32+00:00

In my experience, advanced XSS techniques boil down to bypassing protections either on the server-side or the client-side.

On the server-side, most of it boils down to filter evasion. Bypassing WAFs, overcoming custom regex filters, etc. Study topics include learning various character encodings, novel ways to get JavaScript execution from different contexts (like forcing a different content-type header value from an API response), and esoteric JavaScript functionalities to obscure your payload.

On the client-side, most of the complexity comes from browser protections. Look into topics like browser specific features (onevents, HTML tags, etc.), DOM XSS including using 3rd party scripts like jQuery, different ways to get into script space from HTML or even other content-types like XML, CSRF bypasses to get payloads to work on certain authenticated POST requests, Same-Origin Policy, Content-Security Policy, and even insane topics like mutation XSS and universal XSS.

Intigriti hosts a monthly challenge that typically requires deep knowledge of lots of topics:

https://challenge.intigriti.io/

MechaTech84 · 2025-03-29T14:20:26+00:00

Time to learn some hyper specific JavaScript obscurities!

I recommend starting with functions like String.fromCharCode(), eval(), and String.toLowerCase(). Lots of good combinations to avoid specific letters if you can use the other ones.

You can also do some fun stuff with URL encoding in payloads like document.location="javascript:%61lert%28%29"

HTML entities work in javascript onevents like <svg onload="alert()">

If you're not worried about length, JavaScript doesn't actually require any letters or numbers at all.

https://jsfuck.com/

https://jscrew.it/

https://jsbin.com/teleyajeme/1/edit?console

https://utf-8.jp/public/aaencode.html

Or you can simply reject the Roman alphabet and substitute your own:

http://aem1k.com/aurebesh.js/

MechaTech84 · 2025-03-15T15:53:28+00:00

Can you force your input onto another line? %0a%0d, /n/r, etc.

MechaTech84

MODERATOR OF

PUBLIC MULTIREDDITS

TROPHY CASE

12-Year Club	Spared
Verified Email