How to get fully reflected XSS executed in title tag?

0xr49n4r · May 8, 2020, 9:45am

I recently found a website which could be vulnerable to postMessage attack and lets set any code within the title tags but strangely code is not executed.

Here is what code does:

var m = function(e) {
                var d = JSON.parse(e.data);
                document.title = d.title
                .....
window.addEventListener('message', m, false);

So everything I pass through window.postMessage(’{“title”:“JAVASCRIPT CODE HERE”}’, ‘*’) is fully reflected in title, however not executed.

Reflection in source-code (Chrome Browser):

Is it beause it is set through document.title? And are there ways to make it executable?

R29k · May 8, 2020, 8:36pm

Did you try it in firefox?

acut3 · May 10, 2020, 7:18am

Try to set the title with something like:

s = document.createElement("script");
s.textContent = d.title;
document.getElementsByTagName("title")[0].appendChild(s);

0xr49n4r · May 10, 2020, 5:27pm

Yes, I tried Firefox. It is the same.

I tried a couple of payloads, even some very exotic ones as the one of ultimate XSS polyglot.

0xr49n4r · May 10, 2020, 5:29pm

Not sure what you mean with this

If you mean something like

then the result is

acut3 · May 10, 2020, 6:00pm

I misinterpreted your original message. I thought you were able to control the way the title is set. It looks like you’re not. So there’s no possibility for an XSS here.

Newma1n · September 3, 2020, 12:42pm

I have exactly the same question. Anyone got a suggestion?

Topic		Replies	Views
Xss reflected regarding Starter Zone	8	1749	July 29, 2020
Xss inside Param tag Web Hacking	5	1706	February 13, 2020
Help for dom xss Web Hacking	6	10749	July 13, 2020
Is JSONP callback XSS a thing? Web Hacking	0	3739	May 29, 2018
Reflected XSS with Burp Web Hacking	7	3890	July 20, 2020

How to get fully reflected XSS executed in title tag?

Related topics