I am studying the xss reflected and I'm having some problems to understand what's happening in the following scenario. I completed a lab in which I was able to exploit a xss reflected vulnerability through the code: <svg><script>alert(1) which made me bypass a regex that filtered the starting and ending script tag (I know there are many way to bypass this but this is not the point). The browser parser automatically added the ending script and svg tags resulting in the successful alert popup. However I wanted to try if that behavior had something to do with the particular lab or was valid generally. Hence, I created a html file with just <svg><script>alert(1) written inside. When I opened it with Chrome, no alert was prompted so I investigated with the developer tools and with much surprise I found that both the script and svg tag (with many line feed characters) were automatically added as you can see in the picture. I also tried with IE browser and had the same behavior (without line feed characters). As you can see the tags are correctly interpreted as html tags and are not escaped.
I wanted to understand more on what's going on behind the scenes and wasn't able to find anything around. Can anyone explain why I'm not seeing the alert popup even if the parser autocompletes correctly the tags? Any reference to the subject is also appreciated.
https://stackoverflow.com/questions/66080971/browser-parser-autocompletes-script-tag-but-alert-popup-not-showing February 07, 2021 at 03:22AM
没有评论:
发表评论