XSS without ' > < =

Asked Nov 18 '17 at 13:39

Active Nov 18 '17 at 16:18

Viewed 1,106 times

The developer filter the characters ', <, > and = and the vulnerability is something like:

I also tried URL encodes like %3c, %0a, %3e, %0a, %3d, %0a, %27 and %0a but it doesn't work. Without filters I can get XSS like ">alert("aaa").

Any ideas about how to bypass?

edited Nov 18 '17 at 14:53

Anders

64,406
24
178
215

asked Nov 18 '17 at 13:39

myandtest test

3

Where is your injection point? – Arminius Nov 18 '17 at 13:41
[Related](https://security.stackexchange.com/q/81824/147932) – Joe Nov 18 '17 at 15:46
1

Something like `" onclick="..."`? – CodesInChaos Nov 18 '17 at 19:01
going for hover on a screen sized element might work even better. – CodesInChaos Nov 18 '17 at 19:35
@CodesInChaos only if injection point already inside html tag – TiredOfProgramming Jan 29 '19 at 20:39

XSS without ' > < =

0 Answers0