6Tem
Prevent URL encoding on form submit
During an engagement, I found a potential XSS vulnerability on a page. There is an HTML form that is submitted to this page (POST method) and sent parameters are reflected (without encoding) in the response.
If I use a proxy tool (e.g. Burp Suite) and change my request POST body from:
param1=val1¶m2=val2¶m3=val3
to:
param1=val1" onmouseover="alert(1337)¶m2=val2¶m3=val3
Then my payload is executed.
I'm trying to create a PoC for this issue by creating a custom HTML page with a hidden form pointing at the vulnerable page that will automatically submit, however, I'm running into the following issues:
- By default, the values are automatically URL encoded by the browser. This breaks the payload and the XSS doesn't work.
- I can prevent URL-encoding by changing the form encoding to
text/plainbut the application does not accept that encoding and returns an empty page. - It has to be a POST request with the data in the body, if I use a GET request the application ignores GET parameters.
So, is there a way to prevent the browser from URL-encoding the form values, while keeping the content-type to application/x-www-form-urlencoded?
