How to confirm if it's a case of XSS



  • On a training website where instructors can create Q&A exams for their students, an instructor put a question about XSS. Part of the question was http://abcd.com/options# ``` . When I took the exam, that part of the question showed up on my screen as:

    enter image description here

    I believe that the website renders any input from the instructor without sanitizing it. I tunneled the request through Burp and noticed that I did not get an alert box because the quotes around XSS were \u201c and \u201d. However, when I changed the response from

    <img src=1 onerror=alert("XSS")>
    

    to

    <img src=http://randomwebsite.com onerror=alert("XSS")>
    

    before sending it to the browser, a DNS-over-HTTPS request to resolve randomwebsite.com was initiated from my browser (I have DoH enabled on my browser).

    I want to report it to their bug-bounty program but, I'm doubtful if changing the quotes to their unicode counterpart is part of a protection or simply a co-incident that the instructor copy-pasted the question from (probably) MS-Word that did the change for them. Unfortunately, I do not have access to an instructor-account.

    Is there a way to confirm if this is XSS? Is the DNS-over-HTTPS request enough proof for it?



  • That looks like a real XSS vulnerability, and I do think you should report it.

    To get around the problems with the quotes, simply pass a number instead of a string to the alert function, e.g. alert(1). That way, you don't need the quotes but you can still demonstrate that JS is executed. That should be enough to prove that the vulnerability is real.

    If you really want the alert to say XSS, you can create strings without using quotes like this:

    String.fromCharCode(88) + String.fromCharCode(83) + String.fromCharCode(83)
    

Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2