Ending a javascript block without slash character

Server side:

As a security procedure they encoded the "/" in the "&#47" in order to avoid any directory path traversal or XSS (no luck mate). Try other methods of getting around the "/".

Cheat-sheet: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Client side:

Your browser is having a sort of XSS protection enabled. Try to disable that protection.


I am not aware of any way to end a <script> without the presence of </script. (case insensitive, no encoding)

If there is a syntax error anywhere in a particular script, then that whole script will not execute. (of course you seem to already know this, and thus you are trying to insert </script>)

However, this is still serious because it is likely that a future developer will fix that syntax error, unknowingly making a vulnerability out of this injection flaw you discovered.

If however, you caused the syntax error with your own injection (i.e. broken out of quoted string), it is possible that you could resolve it as well before adding your exploit.

Tags:

Javascript

Xss