I have the following JavaScript code:
var url= document.location.href;
document.write("<img src='?bla="+document.location.href+"'>");
I am able to inject code when I append e.g. ?b=a'onX=alert(1);' to the URL, but this only works in browsers where ' will not get encoded.
Are there any other attacks that I didn't consider? Is there another way to break out of the src attribute?
Are there any other attacks that I didn't consider?
To prevent the single quote form getting encoded, you could try to sneak your payload into the path instead of the query string. For example, if the vulnerable page resides at http://example.com/path/vulnerable.php you could try something like this:
http://example.com/'onerror='payload/..%2Fpath/vulnerable.php
The idea is that some servers resolve the path implicitly. They don't check if the first folder 'onerror='payload actually exists, but immediately switch back to the parent directory (../) and resolve the rest of the path without issuing any redirect. (URL-encoding the slash as %2f prevents your browser from automatically shortening the path.)
Is there another way to break out of the src attribute?
No, a matching quote is your only chance to escape from the attribute value as explained in this answer.
