Is it possible that a browser renders html content inside a xml file properly
I have to secure a RESTful service in terms of XSS. The query function
uses XML for rquest and response.
This is the request from an attacker:
<Query>
<Term>
<![CDATA[<html>
<body>
<script> alert('XSS'); </script>
</body>
</html>
]]>
</Term>
</Query>
This is the response from the server:
<Query>
<Result>
No results found for:
<![CDATA[<html>
<body>
<script> alert('XSS'); </script>
</body>
</html>
]]>
</Result>
</Query>
So far the response is displayed as text by the browser. I want to make
sure that the response won't be renderd by the browser as html which would
cause the execute of the <script>
Is there any other way which enables an attacker to succeed with such a
kind of reflected XSS attack?
No comments:
Post a Comment