If a website encodes < to < and > becomes >, is it still possible to perform cross site scripting? What would you enclose the script tags in?
For example, on one of my sites I can use <script>alert(1)</script> normally, but how can I do the same thing when encoding takes place?
Oh yes it is!
Consider this HTML:
<a href="{{str}}"> and consider an input like:
" onmouseover="alert('GOTCHA')" You get the picture.
If your javascript is being injected within a tag then you don't need the angle brackets. I borrowed this off this similar S/O post: https://stackoverflow.com/questions/5696244/xss-is-escaping-and-sufficient
If you are interested in filter evasion like this consult:
https://owasp.org/www-community/xss-filter-evasion-cheatsheet
This has all the common stuff.
As far as safety is concerned: Encode all the things! You never know how clever the attacker is.
When it comes to Cross-site scripting, the most important thing is context. The context in which it gets reflected or stored.I will demonstrate this with a real example from my experience. Once while bug-hunting i noted that a URL parameter was getting reflected inside a variable:
http://www.example.com/blah.php?id=test&var=101011 The value of var was being reflected in the source of the page at page load, in roughly the following format, inside a script block:
var a = "101011"; and injecting as much as a '<' would divert the request to the WAF which would throw an error page, so my actual payload to deal with this was:
prompt(1)";eval(a); which bypassed the WAF and became a successful case of reflected XSS. So, the payload should be modified according to context and you might not need the tags. Hope that helped.
