Bypass HTML Encoding/Escaping for XSS

Question

When you publish a map in a game called "Fortnite" it asks for a name, a description, and an optional Youtube video. What I'm trying to do is set the "description" to a script tag. Inspect the description on the site here and edit as html to see the encoding that happens, The description that you input is set to that island-header-tagline h3 tag

And I'm trying to run a <script> tag on an <h3> tag. However it seems that when I try to inject the script tag into the h3 tag it html encodes it (< to < and > to >). So it doesn't actually recognize it as an html tag and doesn't run the script. Does anyone know how this would be achieved? Thank you.

Edit: Here is what I'm trying to achieve: Say this is the where the input goes: <h3>USER INPUT</h3>. I'm trying to do something like this <h3></h3><script>alert('test');</script> However < and > are escaped to < and >

P.S.: I'm learning XSS (For non-malicious purposes)

It would be much clearer if you showed us the code you're using to try and achieve this — ADyson, Apr 20 '19 at 22:50
Sorry, so say this is the where the input goes: `
USER INPUT
`. I'm trying to do something like this `
` However < and > are escaped to < and > EDIT: As for how the script gets inside the
tag, it's a generated page and the input is set to there on generation. — Dash, Apr 20 '19 at 22:53
Yes but _how_ are you injecting it? Hard-coded? Or using some server side script? Also please add extra code/info via the "edit" button of your question, not via comments. You can comment to let people know you've done it, though — ADyson, Apr 20 '19 at 22:57
Sorry again, edited and added that code. As for the injection. The page is generated through a program with a unique id (eg `www.example.com/{{id}}`) And the input is automatically added into that h3 tag and collected by the generation program. Hope that's enough, I might not be understanding you correctly if not — Dash, Apr 20 '19 at 23:02
"The page is generated through a program" what program? written in what language ? — andrew, Apr 20 '19 at 23:07
Ok I'll just explain as much as I can, When you publish a map in a game called "Fortnite" it asks for a name, a description, and an optional Youtube video. What I'm trying to do is set the "description" to a script tag. Inspect the description on the site here (https://epicgames.com/fn/1222-0331-8814) and edit as html to see the encoding that happens, The description that you input is set to that `island-header-tagline` h3 tag. — Dash, Apr 20 '19 at 23:13

score 1 · Accepted Answer · answered Apr 20 '19 at 23:31

What happens is that Fortnite asks for "title", and you provide title in the form of HTML code, such as:

 <script>alert('test');</script>

Then Fortnite web-server accepts that text, and, for security reasons, cleans it up. This is done to protect end users from people who would try to insert code like

 <script>StealAllTheMoney();</script>

This is also called "sanitization" of user inputs. We do that in order to protect end-users and our web-server. Unless there is a vulnerability on the Fortnite's side, there is nothing you can do to bypass that sanitization as it escapes some characters that can be part of malicious inputs. In your case it is at least ">".

Thank you! I guess Fortnite is doing a good job with their security, I still don't know a lot about xss so I appreciate the answer! — Dash, Apr 20 '19 at 23:35

Bypass HTML Encoding/Escaping for XSS

USER INPUT

tag, it's a generated page and the input is set to there on generation.

1 Answers1