Xssing without opening a new html tag <

Question

Example: test.php?p=test give output:

<p style="...">test</p>

I can inject anything other than '<', when injected I got redirected. So can it be exploited ?

score 3 · Answer 1 · answered Oct 28 '15 at 21:27

As Ammar mentioned, in this specific situation I don't think that XSS is possible. However if visiting test.php?p=test rendered the following HTML:

<p style="..." title="test">Some other stuff</p>

A malicious user could potentially use a URL like this:

test.php?p=test" onmouseover="alert('xss')

rendering:

<p style="..." title="test" onmouseover="alert('xss')">Some other stuff</p>

to execute an XSS attack. Doesn't work in your situation, but should illustrate the fact that stripping brackets is not sufficient to prevent XSS.

Ammar Bandukwala · Accepted Answer · 2015-10-28T20:38:58.367

2

In this particular case, the "<" is necessary to an attack. Keep in mind that the "<" isn't necessary to all species of XSS attacks. A good reference is here.

edited Oct 28 '15 at 20:38

answered Oct 28 '15 at 19:55

Ammar Bandukwala

454
2
4

score 1 · Answer 3 · answered Oct 29 '15 at 19:29

As other comments mentioned, you have to be able to inject '<' in this particular example. I would try Unicode encoding(html entities).

For example inject <test and see if server's response contains <test .

Sometimes URL encoding also work. For example, some sites blacklist characters such as & or ; in order to prevent unicode encoding based xss vectors. To bypass this filter you can use url encoding.

http://www.example.com/search?q=%26%2360%3Btest

would translate to

http://www.example.com/search?q=&#60;test

I would try this as well. Minor nitpick: As far as I know, you always have to URL encode GET requests for HTML entities because the & will be interpreted as an additional parameter. — Gray, Oct 29 '15 at 21:17

score 0 · Answer 4 · edited Mar 17 '17 at 10:46

If the charset is UTF-7, the sequence +ADw- can be used to represent <.

Current versions of Internet Explorer still support UTF-7. However, the page would need to already be set as the UTF-7 charset or there would need to be some type of vector to allow you to set it in order to exploit this.

See this answer and this answer.

Other than that, a less than character is necessary to exploit this in HTML element context. This is not the case with attribute context where if the context can be changed to another attribute, then one supporting script can be injected:

<img alt="usertext" />

set usertext to " onmouseover="alert('xss')

then this will render as

<img alt="" onmouseover="alert('xss')" />

and no < needed.

Xssing without opening a new html tag <

4 Answers4