Parameter vulnerable for HTML injection but cannot exploit because of URL encoding

Question

I found a HTML injection vulnerability but there is an issue.

The following request returns the following:

curl "https://redacted.com/xss/para?meter="><h1>Test\</h1>"<meta name="url:url" content="https://redacted.com/xss/para?meter="><h1>Test\</h1>
....

But when I try it on a browser it's automatically displaying https://redacted.com/xss/para?meter=%253E%253Ch1%253ETest%253C%2Fh1%253E and response returns the following:

\<meta name="url:url" content="https://redacted.com/xss/para?meter=%253E%253Ch1%253ETest%253C%2Fh1%253E" /\>

So we need to execute this HTML code on victim for an impact. Is there any way for bypass this?

Or maybe I should escalate this bug as a server side issue – Ugroon Jun 20 '22 at 07:10 — Ugroon, Jun 20 '22 at 07:10

score 1 · Answer 1 · answered Aug 07 '22 at 16:26

Do you see this behavior in all browsers? If not, you could abuse it in those specific browsers.

Another method you could try is for instance including the vulnerable page using an <iframe>. This way, the URL does not need to be entered in the browser directly, but only in the src attribute of that iframe.

N008x · Answer 2 · 2022-09-17T04:00:38.470

0

This is called browser URL encoding, which is now almost supported by every browser, but still, you can try on IE different version I also wanna suggest you a previous discussion here - Bypassing browsers URL encoding to do reflected XSS from query parameter? This surely helps you.

edited Sep 17 '22 at 04:00

answered Sep 17 '22 at 03:59

N008x

36
2

Parameter vulnerable for HTML injection but cannot exploit because of URL encoding

2 Answers2