0x12 - XML Formatted XSS Payloads
Did you know that injecting XSS payloads in an XML form tend to generate invalid format if not done properly?
Data submitted as part of XML forms is encapsulated in XML tags
These are defined using tags inside the less-than (<
) and greater-than (>
) characters
Similarly, many of the XSS payloads use the <
and >
characters
Without escaping your XSS payloads, the XML format will be invalid and the server will reject your request before you get to find any vulnerability
To avoid this, you must make sure to set your intruder injection point inside the <![𝐂𝐃𝐀𝐓𝐀[]]>
tag
How to do it
Send request to intruder
Pick the injection place (for example the
<City>Boston</City>
tag in image)Surround the value with the
<![CDATA[]]>
tag (i.e:<![CDATA[Boston]]>
)Now set the Intruder injection point
<City><![CDATA[§INJECTION_POINT§]]></City>
𝐖𝐫𝐨𝐧𝐠:<City>§INJECTION_POINT§</City>
𝐂𝐨𝐫𝐫𝐞𝐜𝐭:<City><![CDATA[§INJECTION_POINT§]]></City>