Burp Suite User Forum

Create new post

Scanner: XSS with percent sign

August | Last updated: Sep 07, 2016 06:49PM UTC

Burp Scanner recently flagged an XSS finding where the injected string was <%MWITE>. Further investigation revealed that the application would also reflect <%script>. Under what circumstances is this actually exploitable? Are there certain browsers that will execute a script tag formed like this?

PortSwigger Agent | Last updated: Sep 08, 2016 08:22AM UTC

We don't believe that you can put a % character into a script tag and have it work. But you can put the % character into the name of a custom tag and it will be tolerated by IE. Given that, you can then use styles (or maybe other attributes) within the tag definition to attempt to introduce an attack.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.