VULNERABILITY DETAILS

VERSION
Chrome Version: 54.0.2840.91
Operating System: iOS

REPRODUCTION CASE
Create the xss_js file:
<script>var q=""</script>

1.in and unicode escapes, i can bypass what is called i\u006E.

Modern browsers, but you must disable the escape of words with Unicode escape, and the Safari browser is not forbidden to be processed in the same way.

PoC: https://vulnerabledoma.in/xss_js?q=%22i\u006E+alert(1)//

Then it becomes:<script>var q=""i\u006E alert(1)//"</script>

2. XSS filter, in addition to the string in the XSS, XSS simple reflection text also tried to stop you want. In my past articles, so we introduce a string part of a string into the case of being cut off, and then paste in the following.

SecurityCamp2015 "Getting Started" from the Kinugawa Masato: http: //www.slideshare.net/masatokinugawa/ss-51723687

I think this time is concerned about the valueOf =

Of course, if the previously defined function, in the following format, can function as a call instead of using a filter to react ().


Specific reference to the article：
http://masatokinugawa.l0.cm/2016/12/xss11.html
http://masatokinugawa.l0.cm/2016/12/xss10.html