Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
url encode bypass
Posted by: the_master
Date: June 25, 2013 02:39PM

Hi there,
I have a problem with some site.
what it does, he gets as a input from the GET parameter encode that data and then
save it as action attribute on form element.
something like that:
site.com/form.php?parm=hello world

at the source code it looks like this:
<form action="hello%20world">

so, how can I bypass that url encode to fully exploit cross site scripting on that website?

thx

Options: ReplyQuote
Re: url encode bypass
Posted by: Bob
Date: June 25, 2013 05:23PM

">yourxssgoeshere.

Options: ReplyQuote
Re: url encode bypass
Posted by: the_master
Date: June 26, 2013 12:20AM

it doesnt work because it uses urlencode function, to encode " character.

Options: ReplyQuote
Re: url encode bypass
Posted by: Bob
Date: June 26, 2013 05:59AM

Send me the link via pm and i'll get it done.

Options: ReplyQuote
Re: url encode bypass
Posted by: Bob
Date: June 26, 2013 07:49AM

It isn't vulnerable to xss.

Options: ReplyQuote


Sorry, only registered users may post in this forum.