TL;DR
Browsers often decode URL encoded characters before passing them to JavaScript. This can be exploited in reflected Cross-Site Scripting (XSS) attacks if the server doesn’t properly handle these decoded values, allowing malicious code execution.
Solution Guide
- Understand the Problem: Reflected XSS happens when a web application takes user input from a query parameter and includes it in its response without proper sanitisation. URL encoding (e.g.,
%3Cfor <) is sometimes used to bypass basic filtering, but browsers decode these before JavaScript sees them. - Identify the Vulnerable Parameter: Find a query parameter that’s reflected in the page source. For example:
https://example.com/search?q=testIf ‘test’ appears directly in the HTML output, it’s likely vulnerable.
- Test Basic XSS Payloads: Try injecting simple JavaScript payloads directly into the parameter:
https://example.com/search?q=If this works, you’ve confirmed basic XSS.
- Attempt URL Encoding Bypass: If simple payloads are blocked, try encoding the characters:
- Encode angle brackets:
%3Cscript%3Ealert('XSS')%3C/script%3E - Encode quotes:
https://example.com/search?q=%22%22 - Encode other special characters as needed (e.g., single quotes, double quotes).
- Encode angle brackets:
- Browser Decoding: The browser will decode the URL before passing it to the JavaScript engine. This means
%3Cscript%3Ebecomes

