data-xss
This is an old revision of the document!
Lessons learned from Google Capture The Flag 2024: [WEB] sappy
On challenges where we need XSS and for example host is checked, we can do the following using data url schema:
let url = new URL("data://osorin.net/,<script>alert()</script>");
fetch(url)
.then(response => response.text())
.then((response) => {
console.log(response)
})
.catch(err => console.log(err));
console.log(url.host);
Other write-up(s) with different solutions: https://adragos.ro/google-ctf-2024/#sappy
data-xss.1724246002.txt.gz · Last modified: 2024/08/21 13:13 by osorin