Skip to main content

I have been searching for XSS and other vulnerability on multiple platforms and I have found that most of them filter it. However, in login forms, if I include “<” or “>” &without quotes], the text in between was not shown in the error message.

 

Here is what I typed in the username: Admin <script>alert('xss')</script> Hello

Here is what the error message shown: 

  • Error: The username Admin Hello is not registered on this site. If you are unsure of your username, try your email address instead.

I think that this is due to the input sanitizer, or it might be something else that idk.

Has anyone encountered such situation before?

It seems that you’ve came across an input sanitization technique that simply removes <script> tags and anything inside them.

 

Different platforms employ various methods to prevent against XSS attacks. While some sanitize the input by escaping characters so the script can't execute (which would make the error say  “The username Admin &lt;script&gt;alert('xss')&lt;/script&gt; Hello….”), others remove the <script> tags entirely.

 

An aside: simply removing potential XSS payloads instead of escaping characters is not always a viable solution, since there are other ways to execute JavaScript without a <script> tag. Consider this:

<img src="invalid-image.jpg" onerror="alert('XSS')">

Notice that if your browser went to render this HTML, it would not be able to find the image, and by convention, will execute whatever is inside the onerror attribute, thus another opportunity to execute XSS.

 

This means that a website that chooses to remove potential XSS payloads without escaping inputs needs to consider all possible ways of executing JavaScript with HTML. So, if you are making a website, sanitize and escape all user inputs!

Reply


Terms & ConditionsCookie settings