I’ve gathered some thoughts on how I recently found two impactful vulnerabilities in APIs, but the steps and techniques below should be generic enough to help find similar API…
Cross Site Scripting is a tricky bug to fix and bypasses for these fixes can be even trickier. While there are several ways to remediate or prevent XSS, I want to focus on HTML Entity Encoding and the contextual pitfalls that can occur with this method.
9 times out of 10, HTML entity encoding is going to block your attempts at popping an XSS. The app will render
< > & " ' as HTML entities
< > & " 'and make the reflected content safe and inert.