I am performing testing on a site that takes input from the user and places it between <span> and </span>. However, < and > from the user are encoded as < and >. Is there any payload that could possibly execute XSS in the site that doesnot use < and >?
Asked
Active
Viewed 9,769 times
2
1 Answers
7
Text entities in HTML can't do anything interesting, and the content between span tags is interpreted as text. To do anything interesting, you'll need to inject a new entity (which is done using < and >), or you'll need your input to be injected into a non-text location (such as the parameters of an entity, or inside a <script> block, or similar). If your input isn't being reflected anywhere else, and < and > are always encoded, then you can't exploit the page via XSS.
However, there might be ways to trick the server into sending un-encoded < and > without it meaning to. One way that I've seen is to send Unicode characters that aren't <> but that the server might map down to those ASCII characters before reflecting them into the output. Consider characters like ˂˃, ‹›, ≤≥, <>, all of which may get mapped to <> by a server and then not get encoded as < >. No guarantees, but it does happen.
CBHacking
- 48,401
- 3
- 90
- 130
-
fwiw, i've never heard of any server or client auto-converting unicode to
<or>... – dandavis Jul 17 '16 at 12:31 -
1@dandavis You bet there is! For instance, this could happen with punycode conversions. – Arminius Jul 17 '16 at 17:35
-
@dandavis: I've pentested a lot of web apps. It's not common, but I've seen it happen before. It's another tool for the toolbox, not a guarantee, but it's always worth checking for. – CBHacking Jul 17 '16 at 19:56
-
to clarify: sure, there may be bad code out there that outputs real angle brackets from other "stuff", but i've not encountered such in 10 years of webdev, and as such i believe it to be uncommon and obviously defective, but would be surprised if OP faces such an issue... – dandavis Jul 17 '16 at 23:45
< or >must be safe. – dandavis Jul 17 '16 at 12:24