Ttyjfyk

Can I use my Chinese passport to enter China after I acquired another citizenship?

How can I get through very long and very dry, but also very useful technical documents when learning a new tool?

Is exact Kanji stroke length important?

HashMap containsKey() returns false although hashCode() and equals() are true

Modify casing of marked letters

Have I saved too much for retirement so far?

Implement the Thanos sorting algorithm

Can criminal fraud exist without damages?

Are there any comparative studies done between Ashtavakra Gita and Buddhim?

Displaying the order of the columns of a table

Teaching indefinite integrals that require special-casing

Using parameter substitution on a Bash array

Why did Kant, Hegel, and Adorno leave some words and phrases in the Greek alphabet?

Will it be accepted, if there is no ''Main Character" stereotype?

What's the purpose of "true" in bash "if sudo true; then"

How to verify if g is a generator for p?

How can a jailer prevent the Forge Cleric's Artisan's Blessing from being used?

Can somebody explain Brexit in a few child-proof sentences?

Is there a problem with hiding "forgot password" until it's needed?

voltage of sounds of mp3files

Is there a good way to store credentials outside of a password manager?

Tiptoe or tiphoof? Adjusting words to better fit fantasy races

Opposite of a diet

Is there an Impartial Brexit Deal comparison site?

Why isn't this XSS working?

PHP: if charset mismatches (htmlentities UTF-8) viewed by client as ISO-8859-1 (or vice versa)How is this XSS attack working?Why doesn't this XSS attack work?XSS - Bypass this RegExpWhy do ID attributes need stricter validation?XSS via JSON: Why does a web application not sanitize either its incoming params hash or its outgoing JSON values of malicious tags like Script?Why isn't this code running?Why does this XSS challenge require %0A to work?BeEF XSS - internal workingWhy this XSS payload doesn't work?

5

I'm learning DOM XSS and I have this code :

<html>
 <body>
 Select your language:
 <select>
 <script>
 document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</OPTION>");
 document.write("<OPTION value=2>English</OPTION>");
 </script>
 </select>
 </body>
</html> 

but I don't understand why this payload doesn't trigger any XSS :

t.html?default=test</option><img src=x onerror=alert(1)/>

It looks like the symbols are encoded and I don't understand why...

I took the script from https://www.owasp.org/index.php/DOM_Based_XSS so I guess it's vulnerable but I don't know how to exploit it...

xss

share|improve this question

edited yesterday

Alex Probert

3231215

asked yesterday

NeolexNeolex

10219

add a comment | 

5

I'm learning DOM XSS and I have this code :

<html>
 <body>
 Select your language:
 <select>
 <script>
 document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</OPTION>");
 document.write("<OPTION value=2>English</OPTION>");
 </script>
 </select>
 </body>
</html> 

but I don't understand why this payload doesn't trigger any XSS :

t.html?default=test</option><img src=x onerror=alert(1)/>

It looks like the symbols are encoded and I don't understand why...

I took the script from https://www.owasp.org/index.php/DOM_Based_XSS so I guess it's vulnerable but I don't know how to exploit it...

xss

share|improve this question

edited yesterday

Alex Probert

3231215

asked yesterday

NeolexNeolex

10219

add a comment | 

I'm learning DOM XSS and I have this code :

<html>
 <body>
 Select your language:
 <select>
 <script>
 document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</OPTION>");
 document.write("<OPTION value=2>English</OPTION>");
 </script>
 </select>
 </body>
</html> 

but I don't understand why this payload doesn't trigger any XSS :

t.html?default=test</option><img src=x onerror=alert(1)/>

It looks like the symbols are encoded and I don't understand why...

I took the script from https://www.owasp.org/index.php/DOM_Based_XSS so I guess it's vulnerable but I don't know how to exploit it...

xss

share|improve this question

edited yesterday

Alex Probert

3231215

asked yesterday

NeolexNeolex

10219

<html>
 <body>
 Select your language:
 <select>
 <script>
 document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</OPTION>");
 document.write("<OPTION value=2>English</OPTION>");
 </script>
 </select>
 </body>
</html> 

t.html?default=test</option><img src=x onerror=alert(1)/>

share|improve this question

edited yesterday

Alex Probert

3231215

asked yesterday

NeolexNeolex

10219

share|improve this question

edited yesterday

Alex Probert

3231215

asked yesterday

NeolexNeolex

10219

edited yesterday

Alex Probert

3231215

edited yesterday

Alex Probert

3231215

asked yesterday

NeolexNeolex

10219

asked yesterday

NeolexNeolex

10219

1 Answer
1

active

oldest

votes

12

It doesn't work because the payload is URL-encoded.

If you navigate to

https://example.com/?foo=<>"

you will see the literal characters <>" in your URL bar, but the browser has actually requested

https://example.com/?foo=%3C%3E%22

. That is, your browser always URL-encodes some characters in the query string, including quotes and angle brackets.

So, if you access location.href via JS, the payload in your example will be returned as

test%3C/option%3E%3Cimg%20src=x%20onerror=alert(1)/%3E

. This does not produce any HTML tags unless you URL-decode it first.

Note: As far as I know, all modern browsers now behave that way, but historically, some implementations have implicitly URL-decoded values for the location interface. In these browsers, your attack would have worked.

share|improve this answer

edited yesterday

answered yesterday

ArminiusArminius

37.8k13123120

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Oh I see... Ok ! Thank you so much ! So this webpage is not vulnerable anymore ?
  
  – Neolex
  yesterday
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  There may still be browsers that let you sneak literal quotes and angle brackets somewhere in the URL where they don't get URL-encoded. But I believe your example isn't vulnerable in modern Chrome and Firefox.
  
  – Arminius
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Ok ! Thanks a lot !
  
  – Neolex
  yesterday
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206018%2fwhy-isnt-this-xss-working%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

12

It doesn't work because the payload is URL-encoded.

If you navigate to

https://example.com/?foo=<>"

you will see the literal characters <>" in your URL bar, but the browser has actually requested

https://example.com/?foo=%3C%3E%22

. That is, your browser always URL-encodes some characters in the query string, including quotes and angle brackets.

So, if you access location.href via JS, the payload in your example will be returned as

test%3C/option%3E%3Cimg%20src=x%20onerror=alert(1)/%3E

. This does not produce any HTML tags unless you URL-decode it first.

Note: As far as I know, all modern browsers now behave that way, but historically, some implementations have implicitly URL-decoded values for the location interface. In these browsers, your attack would have worked.

share|improve this answer

edited yesterday

answered yesterday

ArminiusArminius

37.8k13123120

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Oh I see... Ok ! Thank you so much ! So this webpage is not vulnerable anymore ?
  
  – Neolex
  yesterday
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  There may still be browsers that let you sneak literal quotes and angle brackets somewhere in the URL where they don't get URL-encoded. But I believe your example isn't vulnerable in modern Chrome and Firefox.
  
  – Arminius
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Ok ! Thanks a lot !
  
  – Neolex
  yesterday
  

  
  
  
  

add a comment | 

12

It doesn't work because the payload is URL-encoded.

If you navigate to

https://example.com/?foo=<>"

you will see the literal characters <>" in your URL bar, but the browser has actually requested

https://example.com/?foo=%3C%3E%22

. That is, your browser always URL-encodes some characters in the query string, including quotes and angle brackets.

So, if you access location.href via JS, the payload in your example will be returned as

test%3C/option%3E%3Cimg%20src=x%20onerror=alert(1)/%3E

. This does not produce any HTML tags unless you URL-decode it first.

Note: As far as I know, all modern browsers now behave that way, but historically, some implementations have implicitly URL-decoded values for the location interface. In these browsers, your attack would have worked.

share|improve this answer

edited yesterday

answered yesterday

ArminiusArminius

37.8k13123120

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Oh I see... Ok ! Thank you so much ! So this webpage is not vulnerable anymore ?
  
  – Neolex
  yesterday
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  There may still be browsers that let you sneak literal quotes and angle brackets somewhere in the URL where they don't get URL-encoded. But I believe your example isn't vulnerable in modern Chrome and Firefox.
  
  – Arminius
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Ok ! Thanks a lot !
  
  – Neolex
  yesterday
  

  
  
  
  

add a comment | 

It doesn't work because the payload is URL-encoded.

If you navigate to

https://example.com/?foo=<>"

you will see the literal characters <>" in your URL bar, but the browser has actually requested

https://example.com/?foo=%3C%3E%22

. That is, your browser always URL-encodes some characters in the query string, including quotes and angle brackets.

So, if you access location.href via JS, the payload in your example will be returned as

test%3C/option%3E%3Cimg%20src=x%20onerror=alert(1)/%3E

. This does not produce any HTML tags unless you URL-decode it first.

Note: As far as I know, all modern browsers now behave that way, but historically, some implementations have implicitly URL-decoded values for the location interface. In these browsers, your attack would have worked.

share|improve this answer

edited yesterday

answered yesterday

ArminiusArminius

37.8k13123120

https://example.com/?foo=<>"

https://example.com/?foo=%3C%3E%22

test%3C/option%3E%3Cimg%20src=x%20onerror=alert(1)/%3E

share|improve this answer

edited yesterday

answered yesterday

ArminiusArminius

37.8k13123120

answered yesterday

ArminiusArminius

37.8k13123120

answered yesterday

ArminiusArminius

37.8k13123120