while performing and web app audit, I found a part in this app, where probably only open tags are filtered. In case of injecting something like "><script>alert('XSS')</script>
alert('XSS')</script> is displayed.
The question for me is, is there another way to transport <script, especially the < (as it looks like [script is displayed correctly) anyhow else (except html encoded), so that is interpreted by the browser correctly?
Thanks in advance.
Two things to try:
1st: HTML comments - fool the app - fool the browser.
2nd: Attribute injections - changing <input type=text to <input type=image and applying an onerror/onload or just try to apply event handlers, style attributes or whatever is necessary to exec JS.
It might be considered rather indiscreet to ask for an example URL but I am curios - so.. you have an example URL (here/PM/email)?
thanks for the hint with the eventhandler, I just wonder why I did not think about that myself ;)
But there was no other possibility in thoughts of encoding the text so that the browser interprets it anyway?
hmm did not find the PM button, so regarding your last question, unfortunately I am not allowed to. But any special interests for you question, maybe I can help you with that then ;)
Let's rename PM to IM - my bad :)
It depends on server, application and maybe other things if you can generate a < with alternative encodings. Try to play around with several common encodings and check what the app does. Maybe you can foll the filter by just using <scr<script>ipt> or comparable.