Jan Cinert

False positive | Unencoded characters

Discussion created by Jan Cinert on Nov 5, 2013
Latest reply on Nov 6, 2013 by Philip Niegos

Payload

sf_guard_user[group_id]=%22'%3E%3Cqss%20%60%3b!--%3D%26%7b()%7d %3E

 

#1 Response

comment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy.


<script type="text/javascript">

    /* <![CDATA[ */

 

 

    var a = "\"'><qss `;!--=&{()}";

 

 

    /* ]]> */

</script>

 

 

 


The response does not have a vulnerability.

 

  1. <>& characters do not have to be HTML encoded. They are inside a CDATA section.
  2. " character is correctly encoded as \". It is inside a JS string wrapped inside " character.
  3. ' character does not have to be encoded. It is inside a JS string that is not wrapped inside ' character.

Outcomes