0

I'm wondering if xss is possible without these chars

disallowed/filtered text: < > ! @ # $ % ^ & * : ? = ( )

I'm able to break out of a style attribute of an element by introducing an ending quotation mark. I can do stuff like inject a keyword like onerror in the dom, but I can't use = or anything to create my own src attribute (I can get src into the dom, but I can't assign the src attribute) or something.

nooby
  • 1
  • 1
  • Possible duplicate of [XSS payload without - &<>"=()](https://security.stackexchange.com/questions/173032/xss-payload-without), [XSS Vector without < or > symbols or equal sign?](https://security.stackexchange.com/questions/112221/), [Bypass a simple XSS filter that only looks at <](https://security.stackexchange.com/questions/206893), [XSS payload without using < and >](https://security.stackexchange.com/questions/130284) and probably others. – Steffen Ullrich May 01 '19 at 08:00
  • These all have a different set of filtered chars then what i'm asking.. what – nooby May 02 '19 at 07:18
  • Correct, it might be necessary that you are able to make the conclusion that when a subset of your filtered characters is already sufficient to prevent the attacks then filtering even more characters does not magically enables the attack vectors again. In other words: if a car stops working when you remove the motor it will not be magically work again if you also remove the wheels. – Steffen Ullrich May 02 '19 at 07:23

0 Answers0