While learning xss I came across a write up on zseano hackerone ctf.
The post illustrates embedding an alert call inside of the comment section. Forgive any misspeak but my understanding is;
There is an html area in which we will supply the input:
<textarea class="form-control rounded-0" id="msgreport" rows="5"></textarea>
which is then loaded into the comment via an api call executed by:
addComment(document.getElementById('msgreport').value);
once the comment is generated a new html div is populated and in it is the following:
<script>var commentContent='test'-alert(2)-'hello';</script>
The format illustrated in the post:
test'-alert(2)-'hello
is a little confusing for me. I dissected it further and found that when i use typeof it is telling me it is a number.
My background is not in web dev so I am a little lost on how exactly this works.
I would think that test'alert(2)'xss would work as well, however when I loaded it up — no dice.
>Solution :
To know final result of 'test'-alert(2)-'hello' JS tries to evaluate what exactly is returned from alert(2), and there is no other way than just execute that function call.
In JS 'a' - 'b' is valid, even if that leads to non-number outcome (NaN)
console.log('a' - 'b')Keeping that in mind 'a'alert(2)'b' would be syntax error and will not execute code.