1

I'm trying to insert javascript:alert(1) inside tag. There is some kind of filter for javascript, so I tried using javascrip%74:alert(1) and that url is accepted.

However when i click on it it redirects me to https://www.website.com/javascript:alert(1) instead of showing the alert box?

Why is that happening and how can I bypass that?

mhr
  • 329
  • 3
  • 10
Disp Lay
  • 41
  • 4
  • I consider the question as too broad. There is no way to reproduce the problem since neither the full behavior of the server is known nor what you are exactly doing. Without both information it is impossible to explain what really happens here, all one could try is to wildly guess what might happen. – Steffen Ullrich Sep 02 '19 at 22:35
  • @SteffenUllrich The question is not too broad. I'm injecting `javascrip%74:alert(1)` inside ` – Disp Lay Sep 02 '19 at 22:37
  • 1
    Your question said only *"insert ... __inside tag__"*. Your question said nothing about which tag (seems to be `a` based on your comment) and in which place (seems to be as `href` based on your comment) and if there was any quoting (still unknown) and which browser (still unknown) and how it ended up in the source code of the site (still unknown) etc. Thus, while you've made the question less broad using your comment it is still not fully clear what you've exactly tried. Apart from that, all these information should be in your question and not in a comment. – Steffen Ullrich Sep 03 '19 at 04:56

1 Answers1

0

javascrip%74 is not a valid scheme for any production browser. It's being evaluated, in URL encoding, as javascrip%2574.

A list of valid protocols used in Chromium-based browsers can be seen in the following file; I've highlighted the line containing the 'javascript' protocol. https://cs.chromium.org/chromium/src/url/url_constants.cc?dr=C&g=0&l=26

The processing of URLs, again in Chromium-based browsers, can be seen in the origin files: https://cs.chromium.org/chromium/src/url/origin.h?dr=CSs&g=0

LTPCGO
  • 965
  • 1
  • 5
  • 22
  • Thanks for you answer. The reason why i tried with `javascrip%74` was to bypass their filter. so if `javascript` is removed, what can i use to get an xss to work inside the a href tag? – Disp Lay Sep 03 '19 at 18:51
  • You're asking what could be valid XSS against an unknown system with unknown protections in place. It's too broad a comment which asks a completely different question. Read up on XSS filter evasion, OWASP has a great article which may give you some ideas. – LTPCGO Sep 03 '19 at 21:37