Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Why does the exploit for "Lab: Reflected XSS in a JavaScript URL with some characters blocked" work?

Jorrit | Last updated: Jul 09, 2020 10:47PM UTC

In this lab the infected code will look like this: <a href="javascript:fetch('/analytics', {method:'post',body:'/post%3fpostId%3d5%26%27},x%3dx%3d%3e{throw/**/onerror%3dalert,1337},toString%3dx,window%2b%27%27,{x%3a%27'}).finally(_ => window.location = '/')">Back to Blog</a> How does Javascript know to URL decode the these undefined arguments? x%3dx%3d%3e{throw/**/onerror%3dalert,1337}, toString%3dx,window%2b%27%27, {x%3a%27'} Thank you! (From a JS noob)

Hannah, PortSwigger Agent | Last updated: Jul 10, 2020 02:18PM UTC

Special characters need to be URL-encoded to function correctly. If these are all blindly decoded, then you may be able to insert characters that will help you in your attack that may not have been permitted otherwise. It's not JavaScript that's decoding the URL-encoding, it's the web server, allowing you to put some special characters in. - https://developers.google.com/maps/documentation/urls/url-encoding - Abuse of Encoding Schemes - https://www.cgisecurity.com/lib/URLEmbeddedAttacks.html

Jorrit | Last updated: Jul 11, 2020 12:15AM UTC