Stack Exchange
IT Security Stack Exchange
Questions
Tags
Users
About
IT Security Stack Exchange
Public
Questions
Tags
Users
About
Is XSS possible when the user input gets reflected inside
when '<' and '>' symbols are sanitized</a></h1> </div> <div class="grid fw-wrap pb8 mb16 bb bc-black-075"> <div class="grid--cell ws-nowrap mr16 mb8" title="2016-01-12 19:07:53Z"> <span class="fc-light mr2">Asked</span> <time itemprop="dateCreated" datetime="2017-03-23T18:12:43.063" class="fromnow">Mar 23 '17 at 18:12</time> </div> <div class="grid--cell ws-nowrap mr16 mb8"> <span class="fc-light mr2">Active</span> <time class="fromnow" title="2017-03-27T07:47:11.213" datetime="2017-03-27T07:47:11.213">Mar 27 '17 at 07:47</a> </div> <div class="grid--cell ws-nowrap mb8" title="Viewed 124 times"> <span class="fc-light mr2">Viewed</span> 124 times </div> </div> <div id="mainbar" role="main" aria-label="questions and answers"> <div id="question" class="question" data-questionid="154725" data-ownerid="121141" data-score="1"> <div class="post-layout"> <div class="votecell post-layout--left"> <div class="js-voting-container grid jc-center fd-column ai-stretch gs4 fc-black-200" data-post-id="154725"> <button class="js-vote-up-btn grid--cell s-btn s-btn__unset c-pointer"><svg aria-hidden="true" class="m0 svg-icon iconArrowUpLg" width="36" height="36" viewBox="0 0 36 36"><path d="M2 26h32L18 10 2 26z"></path></svg></button> <div class="js-vote-count grid--cell fc-black-500 fs-title grid fd-column ai-center" itemprop="upvoteCount" data-value="1">1</div> <button class="js-bookmark-btn s-btn s-btn__unset c-pointer py4"> <svg aria-hidden="true" class="svg-icon iconBookmark" width="18" height="18" viewBox="0 0 18 18"><path d="M6 1a2 2 0 00-2 2v14l5-4 5 4V3a2 2 0 00-2-2H6zm3.9 3.83h2.9l-2.35 1.7.9 2.77L9 7.59l-2.35 1.7.9-2.76-2.35-1.7h2.9L9 2.06l.9 2.77z"></path></svg> <div class="js-bookmark-count mt4" data-value=""></div> </button> </div> </div> <div class="postcell post-layout--right"> <div class="s-prose js-post-body" itemprop="text"><h2>The scenario:</h2> <p>I have an application which takes user input and reflect everything to the following field in response.</p> <hr/> <p><code><textarea rows="5" cols="32" name="test_name" tabindex="6"></code><strong>user input</strong> <code></textarea></code></p> <hr/> <ol> <li>All the user input except <em>less than (<strong><</strong>)</em> and <em>greater than (<strong>></strong>)</em> special characters are reflected. </li> <li><strong><</strong> & <strong>></strong> are sanitized in response by html encoding them (<strong><</strong>, <strong>></strong>).</li> </ol> <h2>Theory, History and the whole story:</h2> <p>In theory to demonstrate XSS, I have to get an alert window. I am listing down the ideal test cases I have tried out. I would like to know if I missed something here.</p> <ol> <li>Branch 1: Try to encode < & > Tried - URL encoding Result - Failed</li> <li>Branch 2: Try to find alternate ways I know that I could have gotten a script executed if my script landed inside a tag like by using onmouseover, onclick etc. </li> </ol> <h2>The Question:</h2> <ol> <li>Would XSS be possible in this scenario?</li> <li>What other encoding can I try? [ suggest me payloads ]</li> <li>Is there any other way, like onmouseover & onclick which will work outside the < & > tags?</li> </ol> </div> <div class="mt24 mb12"> <div class="post-taglist grid gs4 gsy fd-column"> <div class="grid ps-relative"> <a href="../../questions/tagged/web-application|xss|appsec" class="post-tag js-gps-track" title="show questions tagged 'web-application|xss|appsec'" rel="tag">web-application|xss|appsec</a> </div> </div> </div> <div class="mb0"> <div class="mt16 grid gs8 gsy fw-wrap jc-end ai-start pt4 mb16"> <div class="grid--cell mr16 fl1 w96"></div> <div class="post-signature grid--cell"> <div class="s-user-card s-user-card"> <time class="s-user-card--time" datetime="edited Mar 27 '17 at 07:47">edited Mar 27 '17 at 07:47</time> <a href="../../users/98538/anders" class="s-avatar s-avatar__32 s-user-card--avatar"> <img class="s-avatar--image" src="../../users/profiles/98538.webp" data-jdenticon-width="32" data-jdenticon-height="32" data-jdenticon-value="Anders" /> </a> <div class="s-user-card--info"> <a href="../../users/98538/anders" class="s-user-card--link">Anders</a> <ul class="s-user-card--awards"> <li class="s-user-card--rep" title="reputation score">65,582</li> <li class="s-award-bling s-award-bling__gold" title="24 gold badges">24</li> <li class="s-award-bling s-award-bling__silver" title="185 silver badges">185</li> <li class="s-award-bling s-award-bling__bronze" title="221 bronze badges">221</li> </ul> </div> </div> </div> <div class="post-signature owner grid--cell"> <div class="s-user-card s-user-card"> <time class="s-user-card--time" datetime="asked Mar 23 '17 at 18:12">asked Mar 23 '17 at 18:12</time> <a href="../../users/121141/hax" class="s-avatar s-avatar__32 s-user-card--avatar"> <img class="s-avatar--image" src="../../users/profiles/121141.webp" data-jdenticon-width="32" data-jdenticon-height="32" data-jdenticon-value="hax" /> </a> <div class="s-user-card--info"> <a href="../../users/121141/hax" class="s-user-card--link">hax</a> <ul class="s-user-card--awards"> <li class="s-user-card--rep" title="reputation score">3,951</li> <li class="s-award-bling s-award-bling__gold" title="2 gold badges">2</li> <li class="s-award-bling s-award-bling__silver" title="17 silver badges">17</li> <li class="s-award-bling s-award-bling__bronze" title="35 bronze badges">35</li> </ul> </div> </div> </div> </div> </div> </div> <div class="post-layout--right js-post-comments-component"> <div id="comments-154725" class="comments js-comments-container bt bc-black-075 mt12 " data-post-id="154725" data-min-length="15"> <ul class="comments-list js-comments-list" data-remaining-comments-count="0" data-canpost="false" data-cansee="true" data-comments-unavailable="false" data-addlink-disabled="true"> <li id="comment-293383" class="comment js-comment " data-comment-id="293383" data-comment-owner-id="8754" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment293383_154725"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">This question has been asked multiple times before, eg here: <a href="../../questions/130284/xss-payload-without-using-and">XSS payload without using < and ></a>. </span> – <a href="../../users/8754/tim" title="29,640 reputation" class="comment-user ">tim</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/154725/is-xss-possible-when-the-user-input-gets-reflected-inside-textarea-when-and-sy#comment293383_154725"><span title="2017-03-23T18:17:22.447 License: " class="relativetime-clean">Mar 23 '17 at 18:17</span></a></span> </div> </div> </li> <li id="comment-293384" class="comment js-comment " data-comment-id="293384" data-comment-owner-id="95381" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment293384_154725"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">@tim is right. To keep this question open you'd have argue why this is any different from an ordinary XSS attempt outside of any tags. </span> – <a href="../../users/95381/arminius" title="44,770 reputation" class="comment-user ">Arminius</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/154725/is-xss-possible-when-the-user-input-gets-reflected-inside-textarea-when-and-sy#comment293384_154725"><span title="2017-03-23T18:19:09.083 License: " class="relativetime-clean">Mar 23 '17 at 18:19</span></a></span> </div> </div> </li> </ul> </div> </div> </div> </div> <div id="answers"> <a name="tab-top"></a> <div id="answers-header"> <div class="answers-subheader grid ai-center mb8"> <div class="grid--cell fl1"> <h2 class="mb0" data-answercount="9">0 Answers<span style="display:none;" itemprop="answerCount">0</span></h2> </div> </div> </div> </div> </div> </div> </div> <script src="../../static/js/stack-icons.js"></script> <script src="../../static/js/fromnow.js"></script> </body> </html>