Jan Cinert

False positive | Reflected Cross-Site Scripting (XSS) Vulnerabilities

Discussion created by Jan Cinert on Nov 5, 2013
Latest reply on Nov 6, 2013 by Mike Shema

Payload "'><qss%20a=@REQUESTID@>

 

#1 Response

comment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy.


<script type="text/javascript">

    /* <![CDATA[ */

 

 

    var a = "\"'><qss%20a=@REQUESTID@>";

 

 

    /* ]]> */

</script>

 

 

 


The response does not have a vulnerability.

 

  1. <> characters do not have to be HTML encoded. They are inside a CDATA section.
  2. " character is correctly encoded as \". It is inside a JS string wrapped inside " character.
  3. ' character does not have to be encoded. It is inside a JS string that is not wrapped inside ' character.

Outcomes