@Mugdha: The < and > was blocked. We tried your suggestion, Unicode
and that worked too. I'd swear we'd tried that out though :rollseyes.
Thanks anyway.
@Walid: No I'm not designing the wargame though that may be a nice
idea going forward :D.
The final bypass hence turns out to be document.write("\u003cimg src=a
onerror=alert(1)\u003e")
A final question though. How does the browser interpret Unicode and
Hex and all that? As in yes..I understand there is intelligence built
in to it but how does it decide..Right...This is Unicode. This is URL
Encoded. This is Hex..This is normal text. Is it just by the \u \x %
...?? Or is it something deeper. Are there a few good reads?
@Mugdha: The < and > was blocked. We tried your suggestion, Unicode
and that worked too. I'd swear we'd tried that out though :rollseyes.
Thanks anyway.
@Walid: No I'm not designing the wargame though that may be a nice
idea going forward :D.
The final bypass hence turns out to be document.write("\u003cimg src=a
onerror=alert(1)\u003e")
A final question though. How does the browser interpret Unicode and
Hex and all that? As in yes..I understand there is intelligence built
in to it but how does it decide..Right...This is Unicode. This is URL
Encoded. This is Hex..This is normal text. Is it just by the \u \x %
...?? Or is it something deeper. Are there a few good reads?
Thanks
Arvind
[ reply ]