Double quote filter(") bypass
258 views
Skip to first unread message
Rohitash Singh
Dec 7, 2014, 11:51:39 PM12/7/14
to null-...@googlegroups.com
Hello all,
Noob question, But still i want to make sure that There is XSS or no XSS??
During my testing for XSS, I found this : <input type="type" name="search" value="my_input" />. In order to break the value attribute, I should use a double quote but result is this:
value="" onmouseover=prompt(1); . Since application is not using innerHTML so I cant use mXSS (` backtick to break the attribute in old browsers). I tried different encoding but I guess in order to break the attribute, payload should be started with " . Is there any way to get XSS in this. I have heard about IE charset bugs, Please suggest me about this for XSS exploitation.
Nilesh Kumar
Dec 8, 2014, 1:03:49 AM12/8/14
to null-...@googlegroups.com
I guess you can't as it's encoding the double quotes. HTML encoding is in place.
Sent from my Android phone..
--
_______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Sauby
Dec 8, 2014, 4:12:07 AM12/8/14
to null-...@googlegroups.com
So this thing can not be bypassed? IE charset bugs would help in this ?
Reply all
Reply to author
Forward
0 new messages