23Tem
XSS with failing method in the injected DOM within onclick
If I have a DOM XSS such as
<button type="button" data-dismiss="modal" onclick="Register.search('{INJECTION_PAYLOAD}');">
Search
</button>
Where I could for example inject code which closes the Register:
<button type="button" data-dismiss="modal" onclick="Register.search('');alert(1);//')">
Search
</button>
But Register is not defined in the context and leads to Uncaught ReferenceError.
Would it be possible to still get the payload running in any way?
I tried initialize blocks, but they don't seem to work like in Java. Also, I tried overwritting the Register object into a variable name, but it seems like JS variables cannot contain a "." and "(". Exception handling is not possible, since the try statement needs to be before the Register. Global exception handling with window will also fail, since the first statement is executed first.
Is this secured against XSS? Or is there any way?
Thanks!