Blog | G5 Cyber Security

Reflected XSS via URL Encoding

G5 Cyber Security

TL;DR

Browsers often decode URL encoded characters before passing them to JavaScript. This can be exploited in reflected Cross-Site Scripting (XSS) attacks if the server doesn’t properly handle these decoded values, allowing malicious code execution.

Solution Guide

  1. Understand the Problem: Reflected XSS happens when a web application takes user input from a query parameter and includes it in its response without proper sanitisation. URL encoding (e.g., %3C for <) is sometimes used to bypass basic filtering, but browsers decode these before JavaScript sees them.
  2. Identify the Vulnerable Parameter: Find a query parameter that’s reflected in the page source. For example: 
    https://example.com/search?q=test

    If ‘test’ appears directly in the HTML output, it’s likely vulnerable.

  3. Test Basic XSS Payloads: Try injecting simple JavaScript payloads directly into the parameter: 
    https://example.com/search?q=

    If this works, you’ve confirmed basic XSS.

  4. Attempt URL Encoding Bypass: If simple payloads are blocked, try encoding the characters:
    • Encode angle brackets: %3Cscript%3Ealert('XSS')%3C/script%3E
    • Encode quotes: https://example.com/search?q=%22%22
    • Encode other special characters as needed (e.g., single quotes, double quotes).
  5. Browser Decoding: The browser will decode the URL before passing it to the JavaScript engine. This means %3Cscript%3E becomes <script>.
  6. Server-Side Handling is Key: If the server decodes the input *before* including it in the HTML, you need to bypass that decoding and any subsequent filtering.
    • If the server double-encodes (decodes then encodes), try encoding twice.
    • Look for other character sets or encodings used by the server.
  7. Exploit with Decoded Payload: If the browser decodes and the server doesn’t properly sanitise, your encoded payload will be executed. 
    https://example.com/search?q=%3Cscript%3Ealert('XSS')%3C/script%3E
  8. Advanced Techniques (if needed):
    • Try different encoding schemes (e.g., UTF-7, Unicode).
    • Use HTML entities if the server decodes those as well.
    • Look for context within the reflected output – can you inject into a JavaScript string?
  9. Report and Remediate: Once confirmed, report the vulnerability to the application developers. Remediation involves proper input validation and output encoding (escaping) on the server-side.

Important Note: Always test XSS vulnerabilities in a controlled environment with permission from the website owner. Unauthorized testing is illegal.

Exit mobile version