Question:
Guys wanted to understand the following logic of a xss challenge she was doing
So because when I put <script>alert(1);</script>
doesn't work but when I put </script><script>alert(1);</script>
the message appears, why?
The code below generates HTML in an unsafe way. Prove it by calling
alert(1)
.function escape(s) { // Warmup. return '<script>console.log("'+s+'");</script>'; }
Challenge Link: http://escape.alf.nu/0/
Answer:
Inside that function you have a string of HTML.
This string has the opening <script>
tag and will receive content that the user enters.
If within the content you insert you put the closing tag of that script </script>
then you will "cheat the code" and you can add a new opening <script>
tag and put whatever you want in it.
In your first example <script>alert(1);</script>
the result is :
return '<script>console.log("<script>alert(1);</script>");</script>';
where the last </script>
is discarded by the browser.
In your second example, you interrupt the console.log syntax and generate HTML with the script tag that you inserted and it looks like this :
<script>console.log("</script><script>alert(1);</script>");</script>
the first <script>console.log("</script>
block gives a syntax error, but the browser still runs the next <script>alert(1);</script>
block that gives the alert.