Bypassing url encoding by browser

  • A+

/ #8

Trick #8 - Bypassing url encoding by browser

You can have a situation when you found XSS which should not to url encoded by browser.

For PoC for this type of XSS use Internet Explorer. This browser doesn't encode all data after "?" symbol in url, example


Also you can disable urlencoding all data in url (after redirection by header), example in php:

header("Location: http://victim/ANY_DATA_HERE_WILL_BE_NOT_ENCODED");

Publised at 17 Jan'2014 |

  • 我的微信
  • 这是我的微信扫一扫
  • weinxin
  • 我的微信公众号
  • 我的微信公众号扫一扫
  • weinxin


:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: