javascript – Doubtful exercise of xss

Question:

Guys wanted to understand the following logic of a xss challenge she was doing

So because when I put <script>alert(1);</script> doesn't work but when I put </script><script>alert(1);</script> the message appears, why?

The code below generates HTML in an unsafe way. Prove it by calling
alert(1).

function escape(s) {   // Warmup.

   return '<script>console.log("'+s+'");</script>';
}

Challenge Link: http://escape.alf.nu/0/

Answer:

Inside that function you have a string of HTML.

This string has the opening <script> tag and will receive content that the user enters.

If within the content you insert you put the closing tag of that script </script> then you will "cheat the code" and you can add a new opening <script> tag and put whatever you want in it.

In your first example <script>alert(1);</script> the result is :

return '<script>console.log("<script>alert(1);</script>");</script>';

where the last </script> is discarded by the browser.

In your second example, you interrupt the console.log syntax and generate HTML with the script tag that you inserted and it looks like this :

<script>console.log("</script><script>alert(1);</script>");</script>

the first <script>console.log("</script> block gives a syntax error, but the browser still runs the next <script>alert(1);</script> block that gives the alert.

Scroll to Top