Is this potential XSS exploitable?



  • I am pentesting a website and I found that I can inject code at value=""

    <input type="text" id="search_1" name="keyword" placeholder="Search by keyword" value="XSS?" class="search-input input-group-field with-floating-label" data-module="autocomplete" required>`
    

    I can enter all characters except double quotes (") because it encodes them for me.

    So, my questions is, can I exploit XSS without leaving the value = " " or is there any way to get out of the value?


  • QA Engineer

    No, if you can't enter double quotes you cannot escape from the attribute value. See the WHATWG spec for details on how browsers parse attribute values. The possible parser state transitions in that state are:

    character effect
    " double quote end attribute value
    & ampersand parse a character reference
    NULL error, but will continue parse
    EOF error, will end parse
    other characters added to attribute value

    So unless there is a bug in the HTML parser, you cannot escape. The & ampersand is the only interesting character in this context, but it does not lead to parser states that would terminate the attribute value. A null character will be substituted with the U+FFFD replacement character, so it will not lead to interesting behaviour in the browser.

    However, the web application will do something interesting with that input value. Maybe this “something” will have exploitable vulnerabilities if you can provide a specially prepared value.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2