Jan Cinert

False positive | Reflected Cross-Site Scripting (XSS) Vulnerabilities

Discussion created by Jan Cinert on Nov 5, 2013
Latest reply on Nov 6, 2013 by Mike Shema

Payload "'><qss%20a=@REQUESTID@>


#1 Response

comment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy.

<script type="text/javascript">

    /* <![CDATA[ */



    var a = "\"'><qss%20a=@REQUESTID@>";



    /* ]]> */





The response does not have a vulnerability.


  1. <> characters do not have to be HTML encoded. They are inside a CDATA section.
  2. " character is correctly encoded as \". It is inside a JS string wrapped inside " character.
  3. ' character does not have to be encoded. It is inside a JS string that is not wrapped inside ' character.