I was working on a website to find vulnerabilities, that I found a url which accepted a GET parameter “via” and reflected it back into the response, inside script tags. But the reflection was so weird, when I input special characters. Can someone explain please what’s happening here?
Here is the inputs that I tried, along with the corresponding response:
GET /endpoint?lc=EN_US&via=xss&token=123 HTTP/2:{pageName: 'US:en:2.0:MY Photos :Albums: xss Public Share'}GET /endpoint?lc=EN_US&via=xss&token=123 HTTP/2:{pageName: 'US:en:2.0:MY Photos :Albums: xss$1token=123 Public Share'}GET /endpoint?lc=EN_US&via=xss&token=123 HTTP/2:{pageName: 'US:en:2.0:MY Photos :Albums: xss Public Share'}GET /endpoint?lc=EN_US&via=xs�s&token=123 HTTP/2:{pageName: 'US:en:2.0:MY Photos :Albums: xs$1s Public Share'}GET /endpoint?lc=EN_US&via=xs1s&token=123 HTTP/2:{pageName: 'US:en:2.0:MY Photos :Albums: xss Public Share'}GET /endpoint?lc=EN_US&via=xsas&token=123 HTTP/2:{pageName: 'US:en:2.0:MY Photos :Albums: xsas Public Share'}GET /endpoint?lc=EN_US&via=xs\s&token=123 HTTP/2:{pageName: 'US:en:2.0:MY Photos :Albums: xss Public Share'}- GET /endpoint?lc=EN_US&via=xs`s&token=123 HTTP/2:
{pageName: 'US:en:2.0:MY Photos :Albums: xs/s Public Share'} GET /endpoint?lc=EN_US&via=xs's&token=123 HTTP/2:{pageName: 'US:en:2.0:MY Photos :Albums: xss Public Share'}GET /endpoint?lc=EN_US&via=xs's&token=123 HTTP/2:{pageName: 'US:en:2.0:MY Photos :Albums: xs's Public Share'}GET /endpoint?lc=EN_US&via=xss%5c&token=123 HTTP/2:{pageName: 'US:en:2.0:MY Photos :Albums: xss Public Share'}