[OWASP-Security101] XSS with tag parsing

Patrick Laverty patrick_laverty at brown.edu
Thu May 31 14:24:30 UTC 2012


We're testing out a web app here in the office and we're seeing that
we can pass anything we want in from the URL into the page's source.
However the tag brackets (< and >) are being parsed into their %3C
equivalents. So the <script> tag is turned into %3Cscript%3E

I'm pretty sure there's a way around this. Any help on things to test
to get the ubiquitous alert box to pop up and prove a positive test?

Thank you!

Patrick


More information about the Security101 mailing list