7

I tried to get reflected XSS in vulnerable website with a request to the following URL:

https://vulnerable.website/dir/dir?param1=test"><svg/onload=alert(1)>

The browser URL encode the chars and it is also reflected back in the response encoded, so it doesn't work. But if I intercept the request and type the payload without encoding the XSS is executed.

Is there any way to send the request without the browser encoding it?

Anders
  • 64,406
  • 24
  • 178
  • 215
Tarek Zidan
  • 73
  • 1
  • 1
  • 4
  • 1
    afaik, the browser will encode urls for you, from URL bar, ajax, and hrefs – dandavis Jan 26 '18 at 19:50
  • IE and Edge do not encode; other browsers do. – paj28 Jan 26 '18 at 20:23
  • @paj28 Edge also encodes it (just tested), and i can't image IE wouldn't. One point of confusion might be that Edge's human-facing reporting of the URL is NOT escaped (ex: dev tools, url bar), but the actual request (seen in HTTP logs) is escaped like Chrome. – dandavis Jan 26 '18 at 20:31
  • @dandavis - My bad it is IE only and Edge does escape. I tested again just now. – paj28 Jan 26 '18 at 20:47

2 Answers2

3

It depends on the browser you are using.

Here is a blog post from Troy Hunt regarding this topic:

You can try to intercept the request using tools like Burp Suite. If you intercept the request, you can try to change the encoding character set and check if the desired result occurs.

Kevin Gomez Buquerin
  • 74
  • 3
  • 2
    OP already said they can manually intercept the request and change the parameter. But that doesn't make it an exploitable XSS flaw which is what OP is asking. Also, if you link a post it's always helpful to include the gist in your answer, too. (Also note that the linked post is from 2012 and browser behavior changes a lot.) – Arminius Jan 26 '18 at 20:09
  • Hi guys , thanks for your responses it worked in IE only because IE didn't encode the URL , i tested it – Tarek Zidan Jan 27 '18 at 20:49
0

I'm facing the same problem, namely browser address bar url encoding that prevents to test the XSS vulnerability.

I found 2 ways around the issue:

  • use curl to send the request, then open the saved page in your browser

    curl -o test.html https://vulnerable.website/dir/dir?param1=test"><svg/onload=alert(1)>

  • use the browser with a proxy, intercept the request and manually edit the request to unencode. (proxy tools such as burp, fiddler)

The second option being considerably slower if you have no experience.

Community
  • 1
8ctopus
  • 103
  • 2
  • 1
    The point is that you need the attack to work for your victim using just a web browser, not curl or Burp. AFAIK this is unexploitable in real life, except for IE. Which means no bounties unfortunately. – SilverlightFox Dec 05 '20 at 19:45
  • @SilverlightFox thanks for the comment, it makes sense. – 8ctopus Dec 07 '20 at 04:09