Link rel=canonical XSS exploitation


#1

Hi guys!

Do you know if it is exploitable that I can inject some payload into the link rel=“canonical” tag?

<link rel="canonical" href="http://google.com/xss{PAYLOAD_HERE}"/>

The > symbol is filtered, the " one is not so I can break the tag attribute but can not escape from it.


#2

Hi skavans,
if you can insert ", then you may want to try to add " rel="import" href="https://someurljusttotest/ and see if the browser (it just works on Chrome) makes a request to someurljusttotest.


#3

Hi,
It has been a while since the topic have started but I wonder whether you succes to exploit or not. I couldn’t use the technique that @stefanofindsbugs tells. having 2 rel in a tag doesn’t help because browser just care about first one, second one is ignored (at least in latest chrome 63.0.3239 version )


#4

Hi @monochrome, I replied to the other thread you started here Any Idea to Trigger Execution of JavaScript in rel Tag.