+ 11

[🏆 challenge 🏆🎮] Most innovative way to exploit!!! ⚠🎰💡🌐🚨

I have used eval and have directly assigned it to the innerHTML of a div which makes it vurnerable to some kind of exploitation. So, the challenge is to make a one liner to input into my code which would produce the most unexpected output. https://code.sololearn.com/Wlu3v8uYHIsv/?ref=app

16th Oct 2017, 4:24 PM
Swapnil Srivastava
Swapnil Srivastava - avatar
11 ответов
+ 13
here's something then paste this: document.body.innerHTML and see what happens when you try to input something in the new input element in the bottom of the page
17th Oct 2017, 4:23 PM
Burey
Burey - avatar
+ 20
document.body.innerHTML=null should do it althought it's onlymon the client side if it worked with a server that fetches some info and then eval it then it would cause more harm cool code nonetheless :) edit i see now you did almost what i did in your code comments xD whatever you do, stay away from while(true) 😅
16th Oct 2017, 5:31 PM
Burey
Burey - avatar
+ 14
the people wants mayhem!! (╯°□°)╯︵ ┻━┻
17th Oct 2017, 5:10 AM
Burey
Burey - avatar
+ 9
should really try alert(abc()) heaps of fun 🤗
17th Oct 2017, 8:19 PM
Burey
Burey - avatar
+ 8
I think many have not understood the challenge so I am explaining it. The eval() function in js executes the code given to it as a string. In my code, I have done- var x= eval(inputbox.value); //so, this executes the value of the inputbox and if any value is returned then assigns it to x div.innerHTML =x;//excluding try-catch // so the returned value is written into the div. So, the challenge is to give a input which will exploit this vulnerability and give unexpected output. Eg- alert("Hacked!!!") If you put double quotes then it is directely displayed. Eg- "<marquee>Hacked!!!</marquee>" So, you guys, just give a try to this challenge.
17th Oct 2017, 10:21 AM
Swapnil Srivastava
Swapnil Srivastava - avatar
+ 8
@Burey This one is great!!!
17th Oct 2017, 4:41 PM
Swapnil Srivastava
Swapnil Srivastava - avatar
+ 8
pasting this: abc=0 will display 0 and then break your code so next use attempt will not display your custom error message, but console normal error about 'abc is not a function' ;P
17th Oct 2017, 6:22 PM
visph
visph - avatar
+ 6
@Burey Your idea is good; but, the challenge is to create the most unexpected output. Not the most damaging. Still, good idea.
17th Oct 2017, 1:24 AM
Swapnil Srivastava
Swapnil Srivastava - avatar
+ 6
Nice ones @Burey and @visph
18th Oct 2017, 3:46 AM
Swapnil Srivastava
Swapnil Srivastava - avatar
+ 5
document.body.innerHTML is very interesting xD
16th Oct 2017, 9:48 PM
Nick
Nick - avatar
+ 3
so we actually can have constructive content regarding security/hacking. 👍
18th Oct 2017, 10:22 AM
Kustaa