Any Idea to Trigger Execution of JavaScript in rel Tag


#1

Hello Guys,

I have found an entry point that make me able to close the quotation mark then write a payload but my payload doesn’t pops up an alert window.

Let me explain with examples;
When I visit www.example.com/foo, the page contains <link rel=alternate href="https://www.example.com/foo" />

Using foo" onerror=alert() junk="x, page reflects <link rel=alternate href="https://www.example.com/foo" onerror=alert() junk="x"/> But in this case, no alert pop-up shows up.

I tried it on my machine by copying page source and saw that If I could change rel=alternate to rel=import , then alert popup would show up. Unfourtunately I can’t do that in the target site.

So any idea about ;

  • why the event is not being triggered with rel=alternate
  • what is the key difference between import and alternate here?
  • what type of payload triggers a JavaScript execution (XSS I mean) here?

PS: I am not able to use < , > or their URL encoded versions to close the tag and open up a script tag.

Thanks in advance


Link rel=canonical XSS exploitation
#2

Hi @monochrome,

as you can read here https://developer.mozilla.org/en-US/docs/Web/HTML/Element/link, rel=alternate is an alternate stylesheet, so it’s not loaded by default for what I understand.

I hope it helps.


#3

Thanks for the answer @stefanofindsbugs

Best luck