sereverside/encodeUrl XSS fails

[ArkaprabhaChakraborty]

I have been trying to perform XSS for serverside URL encoding challenges like https://public-firing-range.appspot.com/escape/serverside/encodeUrl/attribute_name but I cannot bypass the encoding. Can I get some help regarding this?

[ArkaprabhaChakraborty]

Anyone :) any help :). I don't know if this can be attacked or not :).

[qll]

Hi,

the particular case you quote (https://public-firing-range.appspot.com/escape/serverside/encodeUrl/attribute_name) is indeed not exploitable.

The firing range is a test bed for automated scanners, so we also include unexploitable cases to check for misdetections. But currently this is not very well documented (only internally). I can see what I can do to bring the documentation to the public repository. We have a fix-it in our team mid June so this might be a good item to tackle then :-)

Cheers,
Nicolas

[psiinon]

That documentation would be much appreciated :)

[ArkaprabhaChakraborty]

We have a fix-it in our team mid June so this might be a good item to tackle then :-)

:)