2

I try to get XSS in a GET request to work, but it is only working within BURP because there I can send for example > as an not URL encoded string. As soon as I try it in the browser, it is no longer possble because the browser encodes the > to %3e and the XSS vector is gone...

Is it somehow possible to force the browser to not URL encode those characters when making the request?

Anders
  • 64,406
  • 24
  • 178
  • 215
slashcrypto
  • 244
  • 2
  • 8
  • I need an PoC because it's a website which is offering bug bounties and you won't get any without PoC which works in browsers.... – slashcrypto Feb 29 '16 at 15:03
  • @slashcrypto Try this: `\u003c script stuff here \u003e`. See if you can smuggle some unicode into it. I doubt it will work if it's parsed before outputting, though. – Mark Buffalo Feb 29 '16 at 15:17
  • no ... seems not to work. Well i think it's no possible in general, I read about some browser vulnerabilities but it it seems that there is no "legal" way of doing this in any kind of programming language through a browser... – slashcrypto Feb 29 '16 at 16:59
  • 1
    Interesting question - I answered similar [here](http://security.stackexchange.com/questions/98025/reflected-xss-quote-not-encoded/98111#98111) so you could try those things, with no guarantees that they will work. – SilverlightFox Mar 02 '16 at 13:13

0 Answers0