However, Firefox allows JavaScript to be executed in expression??™s. In Firefox set
USERINPUT3A to this:
); 1:expression(alert(1)
USERINPUT4 is trivial to exploit. Simply set USERPINUT4 to this:
";alert(1);
USERINPUT5 is more deeply embedded within the JavaScript. To insert the alert(1)
function that is reliably executed, you must break the alert(1) out of all code blocks
and ensure that the JavaScript before and after is valid, like this:
')){}alert(1);if(0)
The text before alert(1) completes the original if statement, thus ensuring that the
alert(1) function is executed all the time. The text following alert(1) creates an if
statement for the remaining code block so the whole code block between script tags is
valid JavaScript. If this is not done, then the JavaScript will not be interpreted because of
a syntax error.
40 Hacking Exposed Web 2.0
You can inject JavaScript into USERINPUT6 using a plethora of tricks. For example,
you can use this:
">
Or, if angle brackets are disallowed, use a JavaScript event handler like onclick as
follows:
" onclick="alert(1)
USERINPUT7 also has many options like this:
'>
Or this:
' style='x:expression(alert(1))
Or simply this:
javascript:alert(1)
The first two suggestions for USERINPUT7 ensure that the script will be executed
upon loading the page, while the last suggestion requires that the user click the link.
Pages:
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114