I have found an entry point that make me able to close the quotation mark then write a payload but my payload doesn’t pops up an alert window.
Let me explain with examples;
When I visit www.example.com/foo, the page contains
<link rel=alternate href="https://www.example.com/foo" />
Using foo" onerror=alert() junk="x, page reflects
<link rel=alternate href="https://www.example.com/foo" onerror=alert() junk="x"/> But in this case, no alert pop-up shows up.
I tried it on my machine by copying page source and saw that If I could change rel=alternate to rel=import , then alert popup would show up. Unfourtunately I can’t do that in the target site.
So any idea about ;
- why the event is not being triggered with rel=alternate
- what is the key difference between import and alternate here?
PS: I am not able to use < , > or their URL encoded versions to close the tag and open up a script tag.
Thanks in advance