Bypassing url encoding by browser

  • A+
所属分类:WEB安全

/ #8

Trick #8 - Bypassing url encoding by browser

You can have a situation when you found XSS which should not to url encoded by browser.

For PoC for this type of XSS use Internet Explorer. This browser doesn't encode all data after "?" symbol in url, example

http://victim/THESE_DATA_WILL_BE_ENCODED?____BUT____THESE____ARE___NOT

Also you can disable urlencoding all data in url (after redirection by header), example in php:


header("Location: http://victim/ANY_DATA_HERE_WILL_BE_NOT_ENCODED");


Publised at 17 Jan'2014 |

  • 我的微信
  • 这是我的微信扫一扫
  • weinxin
  • 我的微信公众号
  • 我的微信公众号扫一扫
  • weinxin

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: