XSS with json_encode


Hello my Friends,

this time in english 😉

Even though json_encode does not allow slashes – so you cant use javascript tags here.

Now the question is -> can i make xss Nevertheless json_encode?

YES YOU CAN! – Just pass the following for XSS a json_encode encoded string:

<img%20src=x%20onerror=alert(document.cookie);>

Now it works very well as you see 😉

Greetings

burncycle