JavaScript accepts back-ticks as a type of quotation mark, so we actually have three different marks to work with (single quote, double quote, and back-tick).
Sometimes you’ll need to break out of a tag that you’re being inserted into. Various options:
- Use
">
if you’re being inserted into an HTML attribute. - Use
</pre>
or</textarea>
for preformatted blocks and text areas. - Use
';
followed by;//
for direct JavaScript inserts. (Note that it’s only possible to insert<script/>
tags if the JavaScript you’re abusing is being included from a file, as HTML parsers are greedy about the closing</script>
tag.)
Most regular expressions and filters are only executed in a single pass. Thus, a regular expression that’s filtering out <script>
and </script>
tags can be circumvented by using <s<script>cript>
and </s</script>cript>
. That said, this trick doesn’t work for regular expressions that are removing single characters (for example, <
and >
).
You can also use the onload
attribute to pull in JavaScript, though note that this is only functional the first time the page is loaded. This will often require you to close out the preceding attribute ("
) and leave off the trialing "
of the onload
attribute in order for everything to work properly.
There’s also “polygot” strings which work in a variety of contexts. These have some pretty wild escaping going on; for example, the following (lightly modified from TryHackMe’s example) produces an “XSS” alert: