Cross-Site Scripting Attacks with adverse Conditions: Upper-Case XSS
Several times I have encountered web applications that convert user-provided input to capital letters. For example, the application may behave as follows:
<SCRIPT> are not case-sensitive, whereas the contents inside them are in fact case-sensitive.
You can circumvent this limitation by using a different injection technique that involves, for instance,
prompt(1) converted into HTML entities leads to
You may utilise the page https://mothereff.in/html-entities for conversion or your programming language of choice.
We will send the following (URL-encoded) payload to the application in the vulnerable parameter:
<IMG SRC=1 ONERROR=prompt(1)>
Obviously, you are not limited to the
<img>-tag. Actually, any HTML tag
<script>alert(1)</script> could be produced as follows: