For this recipe, we will use the prototyping features provided by the Magical Code Injection Rainbow, an application included in our OWASP BWA vulnerable virtual machine:

1. First, go to the application and select XSSmh from the menu to go to the XSS sandbox. Here, we can set up a field vulnerable to XSS with custom types of sanitization.
2. In our case, we will use the last Sanitization Level: Case-Insesitively and Repetitively Remove Blacklisted Items, matching Keywords.
3. In Sanitization Parameters, we will need to enter the blacklisted words and characters—add alert,document,cookie,href,location,and src. This will greatly limit the range of action of a possible attacker exploiting the application.

4. The Input Sanitization section should look like this:

5. Now, test a common injection that displays the cookie in an alert message, as follows:

As you will see, no alert is shown. This is because of the sanitization options we configured.

6. In order to bypass this protection, we will need to find a way to obfuscate the code so that it is approved by the validation mechanism and still recognized and executed by the browser. Here is where JSFuck comes into play. On your base machine, navigate to http://jsfuck.com. The site describes the language and how it goes about generating JavaScript code with only six different characters, namely [, ], (, ), +, and !.
7. You will also find that this site has a form to convert normal JavaScript to JSFuck representation; try converting alert(document.cookie);, which is the payload we are trying to get executed. As can be seen in the following screenshot, that simple string generates a code of almost 13,000 characters, which is too much to send in a GET request. We need to find a way to reduce that amount:

8. What we can do is to not obfuscate the whole payload, but only the parts that are necessary to bypass the sanitization. Make sure that the Eval Source option is not set, and obfuscate the following strings:
   • ert
   • d
   • e
9. Now, we will integrate the obfuscated code into a full payload. As the JSFuck output is interpreted by the JavaScript engine as text, we will need to use the eval function to execute it. The final payload would be as follows:

<script>eval("al"+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+"('XSS '+"+([][[]]+[])[!+[]+!+[]]+"ocument.cooki"+(!![]+[])[!+[]+!+[]+!+[]]+")");</script>

10. Insert the payload in the injection string and click on Inject. The code should be executed as follows: