This example is similar to the one before, however, you won't be able to use special
characters since they will be HTML encoded. As you will see, you don't really need
any of these characters.
This issue is common in PHP web application because the well known function
used to HTML-encode character (htmlentities) does not encode single quotes (')
unless you told it to using the ENT_QUOTES flag.
Payload
http://192.168.56.101/xss/example7.php?name=Bobby%27;alert%28String.fromCharCode%2868,%2097,%20122,%20122,%20108,%20101,%20114%29%29//
No comments:
Post a Comment