So I am pretty sure I know the answer to this question but I want to be 100% sure so I am looking for some input here. A vulnerability was reported to a site of mine that looks something like this:
GET mysite.com/page<script>alert('XSS');</script>
If you use curl you can see the payload in the response, likewise, if you intercept a browser request with a proxy and edit it to the above payload it will execute.
However, the backend isn't decoding the URL. If this link is posted on some forum and clicked, the browser will encode the url and the response will look like this:
.... mysite.com/page%3Cscript%3Ealert(%27XSS%27)%3B%3C%2Fscript%3E ....
This obviously does not execute. To me, this poses no threat whatsoever because the only way to execute it successfully is with a MITM attack. If there is somebody sitting on the network that can see the traffic and edit it, there would be no point in exploiting XSS because you have everything you want anyway.
Is this a correct analysis? Is there anyway to get a user to click on a link or post some form that doesn't encode the URL that I am not aware of?