Jan Cinert

False positive | Unencoded characters

Discussion created by Jan Cinert on Nov 5, 2013
Latest reply on Nov 6, 2013 by Philip Niegos


sf_guard_user[group_id]=%22'%3E%3Cqss%20%60%3b!--%3D%26%7b()%7d %3E


#1 Response

comment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy.

<script type="text/javascript">

    /* <![CDATA[ */



    var a = "\"'><qss `;!--=&{()}";



    /* ]]> */





The response does not have a vulnerability.


  1. <>& characters do not have to be HTML encoded. They are inside a CDATA section.
  2. " character is correctly encoded as \". It is inside a JS string wrapped inside " character.
  3. ' character does not have to be encoded. It is inside a JS string that is not wrapped inside ' character.