Lab: Reflected XSS in a JavaScript URL with some characters blocked
- Maryam Ziaee
- Sep 19
- 1 min read
This lab reflects your input in a JavaScript URL, but all is not as it seems. This initially seems like a trivial challenge; however, the application is blocking some characters in an attempt to prevent XSS attacks.
The lab will be solved, but the alert will only be called if you click “Back to blog” at the bottom of the page.
The exploit utilizes exception handling to invoke the alert function with specified arguments. The throw statement is used, separated with a blank comment, in order to get round the no spaces restriction. The alert function is assigned to the on error exception handler.
As throw is a statement, it cannot be used as an expression. Instead, we need to use arrow functions to create a block so that the throw statement can be used. We then need to call this function, so we assign it to the toString property of the window and trigger this by forcing a string conversion on the window.
Comments