2

I try to get XSS in a GET request to work, but it is only working within BURP because there I can send for example > as an not URL encoded string. As soon as I try it in the browser, it is no longer possble because the browser encodes the > to %3e and the XSS vector is gone...

Is it somehow possible to force the browser to not URL encode those characters when making the request?

Anders
  • 65,582
  • 24
  • 185
  • 221
slashcrypto
  • 244
  • 2
  • 9
  • I need an PoC because it's a website which is offering bug bounties and you won't get any without PoC which works in browsers.... – slashcrypto Feb 29 '16 at 15:03
  • @slashcrypto Try this: \u003c script stuff here \u003e. See if you can smuggle some unicode into it. I doubt it will work if it's parsed before outputting, though. – Mark Buffalo Feb 29 '16 at 15:17
  • no ... seems not to work. Well i think it's no possible in general, I read about some browser vulnerabilities but it it seems that there is no "legal" way of doing this in any kind of programming language through a browser... – slashcrypto Feb 29 '16 at 16:59
  • 1
    Interesting question - I answered similar here so you could try those things, with no guarantees that they will work. – SilverlightFox Mar 02 '16 at 13:13

0 Answers0