Avoiding HTML-escape in XSS

Asked Jun 12 '14 at 22:00

Active Jun 12 '14 at 22:00

Viewed 135 times

I have written in a tiny node.js server for testing purposes:

require('http').createServer(function(req,res){ 
    res.writeHead(200, {"Content-Type":"text/html"}); 
    res.end(req.url); 
}).listen(8888);

The idea is that the url:

http://localhost:8888/Guest

will output

"/Guest".

Numerous tutorials I have seen suggests that the URL:

http://localhost:8888/<script>alert("XSS");</script>

should perform XSS. Instead, I receive the URL-encoded output:

/%3Cscript%3Ealert(%22XSS%22);%3C/script%3E

Why is this? My server clearly has dozens of vulnerabilities, what am I missing?

asked Jun 12 '14 at 22:00

bobbybee

How do you send the request? It’s probably your web client that encode the URL as some characters are required to be encoded (i. e., `<` and `>`). – Gumbo Jun 12 '14 at 22:40
Figured, tests with telnet return the < back. My question really should be: how do the real attacks avoid the victim's browser escaping the tags? – bobbybee Jun 12 '14 at 22:52
Perhaps you are using IE? See http://stackoverflow.com/a/10369475/81179 – ChristopheD Jun 12 '14 at 22:56
Have you tried it as a link rather than directly into the address bar? i.e. `Click` – SilverlightFox Jun 13 '14 at 11:02

0 Answers0