You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using the URL encoding with "all characters" works as expected with proper escaping. The "magic wand" however used for automatic decoding triggers an XSS on mouseover.
The automatic decoding via mouseover does not properly sanitize the given input.
The vector requires user interaction and is not persistent. This is most likely unexpected and unwanted behaviour and exploitation is very unlikely.
Verified on Chrome Version 71.0.3578.98 (Official Build) (64-bit) and Mozilla Firefox 64.0.
Example
Using the payload "<script>alert(1234)</script>" as input and "url encode all characters" as recipe the following behaviour can be reproduced. Other Javascript will also be executed.
Script execution is triggered at least by mouseover on the "magic wand".
Summary
Using the URL encoding with "all characters" works as expected with proper escaping. The "magic wand" however used for automatic decoding triggers an XSS on mouseover.
The automatic decoding via mouseover does not properly sanitize the given input.
The vector requires user interaction and is not persistent. This is most likely unexpected and unwanted behaviour and exploitation is very unlikely.
Verified on Chrome Version 71.0.3578.98 (Official Build) (64-bit) and Mozilla Firefox 64.0.
Example
Using the payload "<script>alert(1234)</script>" as input and "url encode all characters" as recipe the following behaviour can be reproduced. Other Javascript will also be executed.
Script execution is triggered at least by mouseover on the "magic wand".
The text was updated successfully, but these errors were encountered: