On the screenshot below, you can see that we can fully inject our payload without breaking a sweat. But you may notice that our // isn’t reflected to comment out the excess  which will cause errors and making our payload benign.

Also, we need to put a semi-colon before confirm() to terminate the javascript object declaration.

But just like our //, the filter also removed our semi-colon ; and got the same result as above. 🙁

To trick the filter, we used asterisk (*) to replace the semi-colon as the terminating character for the javascript object declared. And to our trigger confirm(), we then created a dummy function to fill out the excess double-quote created by the javascript object declaration.

So our final payload is "}*confirm()*function t(){t="

Which makes our payload…POP!

Try it https://jsfiddle.net/L1zyfpmq/

Any tricks you want to share? Tell us in the comment section below.

Credits to the owner/s of the featured image used in this blog.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.