1

As part of bug bounty, I have a PATCH request to the API to change my name. I can post theses chars:

:
;
'
*
`
=
#
/
[
]
(
)

This is the HTML result :

data-cy="label-input__input" value="My injection :;'*`=#/[]()" class="label-input__input" data-v-71bcf264> <!---->

Am I obligated to use the char " to inject my JavaScript ? I already visited the page : XSS payload without - &<>"=() but the following code doesn't works:

javascript:alert`1`
Anonymous
  • 274
  • 3
  • 8
  • To security is only the idea related. The implementation questions as in your case are pure programming technique. That's why this question can be better answered on SO. – mentallurg Mar 02 '21 at 22:16
  • You'll have to escape from the value attribute to perform an xss. Since the value attribute starts with a ", it must also be closed with a ". So no, you cannot perform an xss here if you can't use a ". – nobody Mar 03 '21 at 07:24

1 Answers1

2

No, not in the context you have here.

URIs like javascript will not work in a value attribute, so you'll need to escape that context. You can only do that with ", which you don't have.

With the limited characters you do have, you'd either need an injection where you can use javascript URIs (eg into href), an injection into an attribute value context enclosed by ' (or not enclosed at all), an injection into a JavaScript context (eg a javascript variable enclosed by '), a bypass of the filter (maybe via some encoding, though unlikely), or insecure handling of the value via JavaScript (eg the input being passed to eval).

tim
  • 29,640
  • 7
  • 98
  • 121