Why isn't this XSS working?












5















I'm learning DOM XSS and I have this code : 



<html>

 <body>

     Select your language:

     <select>

        <script>

        document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</OPTION>");

        document.write("<OPTION value=2>English</OPTION>");

         </script>

     </select>

 </body>

</html>


but I don't understand why this payload doesn't trigger any XSS : 



t.html?default=test</option><img src=x onerror=alert(1)/>


It looks like the symbols are encoded and I don't understand why...



I took the script from https://www.owasp.org/index.php/DOM_Based_XSS so I guess it's vulnerable but I don't know how to exploit it...






xss







share|improve this question





























    5















    I'm learning DOM XSS and I have this code : 



    <html>
    
 <body>
    
     Select your language:
    
     <select>
    
        <script>
    
        document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</OPTION>");
    
        document.write("<OPTION value=2>English</OPTION>");
    
         </script>
    
     </select>
    
 </body>
    
</html>


    but I don't understand why this payload doesn't trigger any XSS : 



    t.html?default=test</option><img src=x onerror=alert(1)/>


    It looks like the symbols are encoded and I don't understand why...



    I took the script from https://www.owasp.org/index.php/DOM_Based_XSS so I guess it's vulnerable but I don't know how to exploit it...






    xss







    share|improve this question



























      5












      5








      5








      I'm learning DOM XSS and I have this code : 



      <html>
      
 <body>
      
     Select your language:
      
     <select>
      
        <script>
      
        document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</OPTION>");
      
        document.write("<OPTION value=2>English</OPTION>");
      
         </script>
      
     </select>
      
 </body>
      
</html>


      but I don't understand why this payload doesn't trigger any XSS : 



      t.html?default=test</option><img src=x onerror=alert(1)/>


      It looks like the symbols are encoded and I don't understand why...



      I took the script from https://www.owasp.org/index.php/DOM_Based_XSS so I guess it's vulnerable but I don't know how to exploit it...






      xss







      share|improve this question
















      I'm learning DOM XSS and I have this code : 



      <html>
      
 <body>
      
     Select your language:
      
     <select>
      
        <script>
      
        document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</OPTION>");
      
        document.write("<OPTION value=2>English</OPTION>");
      
         </script>
      
     </select>
      
 </body>
      
</html>


      but I don't understand why this payload doesn't trigger any XSS : 



      t.html?default=test</option><img src=x onerror=alert(1)/>


      It looks like the symbols are encoded and I don't understand why...



      I took the script from https://www.owasp.org/index.php/DOM_Based_XSS so I guess it's vulnerable but I don't know how to exploit it...






      xss




      xss






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited yesterday









      Alex Probert

      3191215




      3191215










      asked yesterday









      NeolexNeolex

      10219




      10219






















          1 Answer
          1






          active

          oldest

          votes


















          12














          It doesn't work because the payload is URL-encoded.



          If you navigate to



          https://example.com/?foo=<>"


          you will see the literal characters <>" in your URL bar, but the browser has actually requested



          https://example.com/?foo=%3C%3E%22


          . That is, your browser always URL-encodes some characters in the query string, including quotes and angle brackets.



          So, if you access location.href via JS, the payload in your example will be returned as



          test%3C/option%3E%3Cimg%20src=x%20onerror=alert(1)/%3E


          . This does not produce any HTML tags unless you URL-decode it first.



          Note: As far as I know, all modern browsers now behave that way, but historically, some implementations have implicitly URL-decoded values for the location interface. In these browsers, your attack would have worked.






          share|improve this answer


























          • Oh I see... Ok ! Thank you so much ! So this webpage is not vulnerable anymore ?

            – Neolex
            yesterday






          • 2





            There may still be browsers that let you sneak literal quotes and angle brackets somewhere in the URL where they don't get URL-encoded. But I believe your example isn't vulnerable in modern Chrome and Firefox.

            – Arminius
            yesterday











          • Ok ! Thanks a lot !

            – Neolex
            yesterday











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "162"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206018%2fwhy-isnt-this-xss-working%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          12














          It doesn't work because the payload is URL-encoded.



          If you navigate to



          https://example.com/?foo=<>"


          you will see the literal characters <>" in your URL bar, but the browser has actually requested



          https://example.com/?foo=%3C%3E%22


          . That is, your browser always URL-encodes some characters in the query string, including quotes and angle brackets.



          So, if you access location.href via JS, the payload in your example will be returned as



          test%3C/option%3E%3Cimg%20src=x%20onerror=alert(1)/%3E


          . This does not produce any HTML tags unless you URL-decode it first.



          Note: As far as I know, all modern browsers now behave that way, but historically, some implementations have implicitly URL-decoded values for the location interface. In these browsers, your attack would have worked.






          share|improve this answer


























          • Oh I see... Ok ! Thank you so much ! So this webpage is not vulnerable anymore ?

            – Neolex
            yesterday






          • 2





            There may still be browsers that let you sneak literal quotes and angle brackets somewhere in the URL where they don't get URL-encoded. But I believe your example isn't vulnerable in modern Chrome and Firefox.

            – Arminius
            yesterday











          • Ok ! Thanks a lot !

            – Neolex
            yesterday
















          12














          It doesn't work because the payload is URL-encoded.



          If you navigate to



          https://example.com/?foo=<>"


          you will see the literal characters <>" in your URL bar, but the browser has actually requested



          https://example.com/?foo=%3C%3E%22


          . That is, your browser always URL-encodes some characters in the query string, including quotes and angle brackets.



          So, if you access location.href via JS, the payload in your example will be returned as



          test%3C/option%3E%3Cimg%20src=x%20onerror=alert(1)/%3E


          . This does not produce any HTML tags unless you URL-decode it first.



          Note: As far as I know, all modern browsers now behave that way, but historically, some implementations have implicitly URL-decoded values for the location interface. In these browsers, your attack would have worked.






          share|improve this answer


























          • Oh I see... Ok ! Thank you so much ! So this webpage is not vulnerable anymore ?

            – Neolex
            yesterday






          • 2





            There may still be browsers that let you sneak literal quotes and angle brackets somewhere in the URL where they don't get URL-encoded. But I believe your example isn't vulnerable in modern Chrome and Firefox.

            – Arminius
            yesterday











          • Ok ! Thanks a lot !

            – Neolex
            yesterday














          12












          12








          12







          It doesn't work because the payload is URL-encoded.



          If you navigate to



          https://example.com/?foo=<>"


          you will see the literal characters <>" in your URL bar, but the browser has actually requested



          https://example.com/?foo=%3C%3E%22


          . That is, your browser always URL-encodes some characters in the query string, including quotes and angle brackets.



          So, if you access location.href via JS, the payload in your example will be returned as



          test%3C/option%3E%3Cimg%20src=x%20onerror=alert(1)/%3E


          . This does not produce any HTML tags unless you URL-decode it first.



          Note: As far as I know, all modern browsers now behave that way, but historically, some implementations have implicitly URL-decoded values for the location interface. In these browsers, your attack would have worked.






          share|improve this answer















          It doesn't work because the payload is URL-encoded.



          If you navigate to



          https://example.com/?foo=<>"


          you will see the literal characters <>" in your URL bar, but the browser has actually requested



          https://example.com/?foo=%3C%3E%22


          . That is, your browser always URL-encodes some characters in the query string, including quotes and angle brackets.



          So, if you access location.href via JS, the payload in your example will be returned as



          test%3C/option%3E%3Cimg%20src=x%20onerror=alert(1)/%3E


          . This does not produce any HTML tags unless you URL-decode it first.



          Note: As far as I know, all modern browsers now behave that way, but historically, some implementations have implicitly URL-decoded values for the location interface. In these browsers, your attack would have worked.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited yesterday

























          answered yesterday









          ArminiusArminius

          37.8k13123120




          37.8k13123120













          • Oh I see... Ok ! Thank you so much ! So this webpage is not vulnerable anymore ?

            – Neolex
            yesterday






          • 2





            There may still be browsers that let you sneak literal quotes and angle brackets somewhere in the URL where they don't get URL-encoded. But I believe your example isn't vulnerable in modern Chrome and Firefox.

            – Arminius
            yesterday











          • Ok ! Thanks a lot !

            – Neolex
            yesterday



















          • Oh I see... Ok ! Thank you so much ! So this webpage is not vulnerable anymore ?

            – Neolex
            yesterday






          • 2





            There may still be browsers that let you sneak literal quotes and angle brackets somewhere in the URL where they don't get URL-encoded. But I believe your example isn't vulnerable in modern Chrome and Firefox.

            – Arminius
            yesterday











          • Ok ! Thanks a lot !

            – Neolex
            yesterday

















          Oh I see... Ok ! Thank you so much ! So this webpage is not vulnerable anymore ?

          – Neolex
          yesterday





          Oh I see... Ok ! Thank you so much ! So this webpage is not vulnerable anymore ?

          – Neolex
          yesterday




          2




          2





          There may still be browsers that let you sneak literal quotes and angle brackets somewhere in the URL where they don't get URL-encoded. But I believe your example isn't vulnerable in modern Chrome and Firefox.

          – Arminius
          yesterday





          There may still be browsers that let you sneak literal quotes and angle brackets somewhere in the URL where they don't get URL-encoded. But I believe your example isn't vulnerable in modern Chrome and Firefox.

          – Arminius
          yesterday













          Ok ! Thanks a lot !

          – Neolex
          yesterday





          Ok ! Thanks a lot !

          – Neolex
          yesterday


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Information Security Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206018%2fwhy-isnt-this-xss-working%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          He _____ here since 1970 . Answer needed [closed]What does “since he was so high” mean?Meaning of “catch birds for”?How do I ensure “since” takes the meaning I want?“Who cares here” meaningWhat does “right round toward” mean?the time tense (had now been detected)What does the phrase “ring around the roses” mean here?Correct usage of “visited upon”Meaning of “foiled rail sabotage bid”It was the third time I had gone to Rome or It is the third time I had been to Rome

          Image
          Engineer refusing to file/disclose patents Extending the spectral theorem for bounded self adjoint operators to bounded normal operators Do varchar(max), nvarchar(max) and varbinary(max) columns affect select queries? Why is it that I can sometimes guess the next note? What linear sensor for a keyboard? Why don’t women say שלא עשני גויה and שפחה, according to Ashkenazim? Did arcade monitors have same pixel aspect ratio as TV sets? anything or something to eat Query about absorption line spectra Can I use my Chinese passport to enter China after I acquired another citizenship? Fuse symbol on toroidal transformer Create all possible words using a set or letters Does the Mind Blank spell prevent the target from being frightened? Can I sign legal documents with a smiley face? When quoting, must I also copy hyphens used to divide words that continue on the next line? Hot bath for aluminium engine block and heads Journal losing indexing services Is it possib
          Read more

          Bunad

          Image
          Tradisjonelle folkedrakter frå Aust-Telemark, truleg frå 1880-åra. Drakter som dette er grunnlaget for moderne bunadar. Foto: Axel Lindahl Bunad frå Eggedal i Buskerud fotografert i 1906. Bunad (frå kledebunad , der norrønt «búnaðr» har same rot som (føre)bu) er ei samnemning brukt om klesdrakter i tradisjonell nordisk stil — ofte utvikla frå folkedrakter, men likevel i ein eigen tradisjon. Ein bunad er typisk ei forseggjort og kostbar drakt, med mykje broderi, og med handsmidde smykke i gull eller sølv, særleg dei særeigne søljene, som obligatorisk prynad i tillegg. Bunad og bunadbruk er eit debattemne med mange ulike oppfatningar, til dømes om kva som er ein bunad, og om ein kan endra på utforminga av draktene eller ikkje. Den norske bunadrørsla går tilbake til folkedansrørsla og føregangsfolk som Hulda Garborg og Klara Semb. I dag blir bunad brukt som nasjonaldrakt. Festbunad er likestilt med galla-antrekk, og ofte nytta ved særskilde høve, som konfirmasjonar eller d
          Read more

          Færeyskur hestur Heimild | Tengill | Tilvísanir | LeiðsagnarvalRossið - síða um færeyska hrossið á færeyskuGott ár hjá færeyska hestinum

          Image
          FæreyjarHestar færeyskahjaltlandshestinumíslenski hesturinnBretlandskolanámumenskuWikipediafæreyskuWikipediaRossið - síða um færeyska hrossið á færeysku Færeyskur hestur Úr Wikipediu, frjálsa alfræðiritinu Jump to navigation Jump to search Rani og Grani. Grani í vetrarfeldi. Færeyski hesturinn (færeyska: Føroyska rossið ) er hestur sem hefur lifað í Færeyjum í hundruði ára. Hann er smágerður, 120-132 cm á hæð, og helst skyldur hjaltlandshestinum. Hlutverk hans var að draga vagna og plóg og bera klyfjar. Hann hefur fjórar gangtegundir eins og íslenski hesturinn (þar með talið tölt) og er með fjölda litaafbrigði. Nú til dags er hann notaður til frístunda. Í lok 19. aldar voru til um 800 hross. Mörg þeirra voru seld til Bretlands til að vinna í kolanámum og um 1960 voru aðeins nokkrir hestar eftir. Átak var gert í að varðveita hestinn og eru nú til 70-80 hross í Færeyjum. [1] Heimild |   Wikimedia Commons er með margmiðlunarefni sem te
          Read more