Add writeups for prompt.ml levels -2 to -4 about xsschallengewiki HOT 26 CLOSED

I am not sure if the author is ready for the solutions to be public.

@filedescriptor What do you think?

from xsschallengewiki.

I am totally okay with that.

from xsschallengewiki.

@filedescriptor Cool :)

@gsingh93 Pull requests are welcome!

from xsschallengewiki.

@filedescriptor As far as I know, this has been fixed in Chromium for some months by now. Should we document the solution from back then?

from xsschallengewiki.

No objection!

from xsschallengewiki.

IIRC it was )},prompt(1)}{{// correct?

from xsschallengewiki.

)},{0:prompt(1 worked. But I'm not sure if yours worked as well.

from xsschallengewiki.

Mine worked in a local set-up on Chrome 25. Not sure, what Chrome version it worked in last - and the vectors changed over time due to different with blocks in the browser code.

from xsschallengewiki.

I think we can mention either one - because we focus more on the peculiar instead of the actual implementation.

from xsschallengewiki.

Here is a draft version for sanity check:

https://github.com/cure53/XSSChallengeWiki/wiki/prompt.ml#hidden-level--4

from xsschallengewiki.

lgtm!

from xsschallengewiki.

Should we add -2 and -3 as well?

from xsschallengewiki.

Sure

from xsschallengewiki.

Do you still have the solutions at hand? :) Then I can take care.

from xsschallengewiki.

-2: @if(0)@end (@cc_on is not necessary)
-3: semi-colon instead of ampersand

from xsschallengewiki.

I know - I recall what the way of solving it was, but I didn't wanna spent time on both re-finding the exact solution and doing the write-up - thus asking for the solutions in case you still have them - not just the general way :)

Also not in a hurry here, if you still have the string I'll use it, if not, I'll re-solve :P

from xsschallengewiki.

Ah sorry about that. I don't have the original solutions but I've just tried to recall them:
-2: "><script>@if(0)#@end;prompt(1)@if(0)#@end</script>
For -3, I am not sure if the API has changed but I can't seem to reproduce anymore

from xsschallengewiki.

Thanks :D And same here for "-3", just tried as well.

from xsschallengewiki.

I think it was ;callback=prompt(1, - possible?

from xsschallengewiki.

I think it should be something like "onclick=prompt(1) id="a";callback=a.click;
because the callback name is validated. We first create a click event handler, and set the callback to reference to its click function to invoke the payload.

from xsschallengewiki.

Ah, fair enough. I will use that. Thx :)

from xsschallengewiki.

Let me know if you need helps :) By the way I think you can also mention that -3 is a scenario for SOME

from xsschallengewiki.

Technically not SOME but COME and that sounds very non-beneficial...

from xsschallengewiki.

Ready for a sanity check!

from xsschallengewiki.

Looks perfect! Finally the write-up is complete, thanks mario :D

from xsschallengewiki.

Thank you :)

from xsschallengewiki.