Xss inside Param tag

I’ve found an unencoded injection point <Param name="name" value="inject" />

Unfortunately asp.net request validation stops me creating either a new tag or ending the current param tag for onmouseover etc.

Anyone got any pointers from bug bounties for how to turn this into xss? I’m tempted to say impossible ATM, but there’s always new techniques to learn. Thanks.

Are you able to at least break attribute using "?

Yes. However I need a closing tag I believe for the onmouseover etc

I haven’t played with that tag, but maybe something is possible. I guess you already tried a lot of things, so maybe it is not possible.

Yeh tried everything I can think of, and it’s not my first rodeo.

Also I think there are script errors on the page, further complicating things.

I can probably get it using tag but that’s IE only and only a P5.

Okay :-1:
My apologies for not being helpful :sweat_smile:

1 Like