Open Simpsonpt opened 9 years ago
I'm not sure what you're asking.
This is not a question, is a payload to evaluate JS code and I don't think this is the main goal of this software.
If this is a feature sorry for my mistake.
I guess it's an issue with the unobfuscation features. One of the unobfuscators resorts to eval
ing the code to let it self-unpack. Which is both a pro (you get exactly what you would get in a browser) and a cons (you run a piece of JS without being warned).
The XSS scenario is quite narrow, since you have to manually paste the code in the box and so you are seeing it, but I realize some subtle tricks might still result in very unpleasant outcomes.
The unobfuscation infrastructure I a wrote a few years ago for the Python version disallows eval
unpacking, unless you specifically request it with a command-line switch. Maybe the same behaviour could be adopted in the JS version too with a checkbox on the web UI?
I think that can be a solution, although I not comfortable in this code base to decide anything. Weaponize this payload isn't a problem I think, right now there is no return/profit, really depends the way people use this project.
Cross-site scripting is possible with the following code.
Payload: eval(function(p,a,c,k,e,r){}((function(){alert('XSS')})(),''.split('|'),0,{}))
Observation: This is not my research and I did not found any issue related to this topic.