Published: 22 May 2020 at 13:08 UTC
Updated: 04 June 2020 at 09:31 UTC
Have you ever found some risky behavior, but couldn't quite prove it was exploitable? Our XSS cheat sheet contains virtually every exploit technique we know of, but what should you do if you can't find a technique for your scenario? Did we just forget to mention the right technique, or is it actually unexploitable?
Here at PortSwigger we think anything is hackable, so when we come across a problem that isn't solvable we don't like it. We frequently invest a significant amount of time in trying to crack these challenges, and we know many of you do the same. That's why we decided to create an 'impossible labs' section on our XSS cheat sheet, offering two key benefits:
1) If you're up for a challenge, you can try and solve these labs and win eternal fame
2) If you find a scenario in the wild that matches one of our impossible labs and can't exploit it, you can have reasonable confidence that nobody else knows how to exploit it either.
This section will grow in time but for the time being we have 8 labs. Each lab defines a small problem that our research team has tried to solve but have been unable to pop an alert, limiting us to scriptless attacks like dangling markup injection which are often less powerful. Can you do the impossible and solve these labs?
This lab captures the scenario when you can't use an open tag followed by an alphanumeric character. Sometimes you can solve this problem by bypassing the WAF entirely, but what about when that's not an option? Certain versions of .NET have this behaviour, and it's only known to be exploitable in old IE with <%tag.
The closest we've got to solving this is when you have multiple injection points, the first within a script based context and the second in HTML.
You have a site that processes the query string and URL decodes the parameters but splits on the equals then assigns to innerHTML. In this context <script> doesn't work and we can't use = to create an event.
We received a request from twitter about this next lab. It occurs within a frameset but before a body tag with equals filtered. You would think you could inject a closing frameset followed by a script block but that would be too easy.
William Bowling @wcbowling solved this lab. The limit is now 20.
Roman Shafigullin solved this lab! The limit is now 19.
Roman Shafigullin & Terjanq solved this lab! The limit is now 18.
Luan Herrera solved this lab! The limit is now 17.
Think you have solved an impossible lab? You are my new hero. Be ready to accept fame and glory, please report your epic accomplishment on twitter or file a new issue on Github.
To view the impossible labs please consult the XSS cheat sheet.