https://soffensive.github.io/tags/cross-site-scripting/Recent content in Cross-Site Scripting on soffensive blogHugoenWed, 05 Apr 2017 04:03:00 -0700https://soffensive.github.io/posts/web-app-sec/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss/Wed, 05 Apr 2017 04:03:00 -0700https://soffensive.github.io/posts/web-app-sec/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss/<p>Several times I have encountered web applications that convert user-provided input to capital letters. For example, the application may behave as follows:</p> <p><a href="../images/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss-up1.png" rel=""><img class="lazyload" src="https://soffensive.github.io/svg/loading.min.svg" data-src="../images/thumbnails/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss-up1.png" data-srcset="../images/thumbnails/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss-up1.png, ../images/thumbnails/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss-up1.png 1.5x, ../images/thumbnails/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss-up1.png 2x" data-sizes="auto" alt="../images/thumbnails/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss-up1.png" title="../images/thumbnails/2017-04-05-cross-site-scripting-attacks-with-adverse-conditions-upper-case-xss-up1.png" /></a></p> <p>The injected JavaScript code (after escaping from the quotes, of course) will not be executed in the browser. Why is this the case? Remember that the HTML tag names themselves, including <code>&lt;SCRIPT&gt;</code> are not case-sensitive, whereas the contents inside them are in fact case-sensitive.</p>