Jump to content


This topic is now archived and is closed to further replies.


Bypassing Url encoding to cause an xss

Recommended Posts

I was probing for a reflected xss and I haven't been able to beat the url encoding being performed on the backslash character. the <script>alert(1)<script> is reflected as it is but backslash is encoded into %2F. I tried double encoding the backslash and submitting the new script directly in the url but this dosen't seem to work either. special characters like = ; are also being url encoded. Should I stop probing for xss and look for other point of exploitation or is there a way to cause an xss.



**UPDATE: **

after trying inserting <xml%00onreadystatechange%253Dalert(1)> directly in the URL, the reflected string that I get is this but in the URL everything after <xml gets truncated. I guess something worked here and the filters picked it up and truncated everything after <xml.

Share this post

Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...