Reflected XSS via URL Encoding

TL;DR

Browsers often decode URL encoded characters before passing them to JavaScript. This can be exploited in reflected Cross-Site Scripting (XSS) attacks if the server doesn’t properly handle these decoded values, allowing malicious code execution.

Solution Guide

1. Understand the Problem: Reflected XSS happens when a web application takes user input from a query parameter and includes it in its response without proper sanitisation. URL encoding (e.g., %3C for <) is sometimes used to bypass basic filtering, but browsers decode these before JavaScript sees them.
2. Identify the Vulnerable Parameter: Find a query parameter that’s reflected in the page source. For example:

   https://example.com/search?q=test

   If ‘test’ appears directly in the HTML output, it’s likely vulnerable.

3. Test Basic XSS Payloads: Try injecting simple JavaScript payloads directly into the parameter:

   https://example.com/search?q=

   If this works, you’ve confirmed basic XSS.

4. Attempt URL Encoding Bypass: If simple payloads are blocked, try encoding the characters:
   • Encode angle brackets: %3Cscript%3Ealert('XSS')%3C/script%3E
   • Encode quotes: https://example.com/search?q=%22%22
   • Encode other special characters as needed (e.g., single quotes, double quotes).
5. Browser Decoding: The browser will decode the URL before passing it to the JavaScript engine. This means %3Cscript%3E becomes <script>.
6. Server-Side Handling is Key: If the server decodes the input *before* including it in the HTML, you need to bypass that decoding and any subsequent filtering.
   • If the server double-encodes (decodes then encodes), try encoding twice.
   • Look for other character sets or encodings used by the server.
7. Exploit with Decoded Payload: If the browser decodes and the server doesn’t properly sanitise, your encoded payload will be executed.

   https://example.com/search?q=%3Cscript%3Ealert('XSS')%3C/script%3E

8. Advanced Techniques (if needed):
   • Try different encoding schemes (e.g., UTF-7, Unicode).
   • Use HTML entities if the server decodes those as well.
   • Look for context within the reflected output – can you inject into a JavaScript string?
9. Report and Remediate: Once confirmed, report the vulnerability to the application developers. Remediation involves proper input validation and output encoding (escaping) on the server-side.

Important Note: Always test XSS vulnerabilities in a controlled environment with permission from the website owner. Unauthorized testing is illegal.