Home/ Questions/Q 7073349
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T05:55:08+00:00

I just found this on xssed.com , and if anyone could explain me why

  • 0

I just found this on xssed.com , and if anyone could explain me why is alert show here

Why %25 and then hex value , I tried just %hexvalue and nothing happens , how does %25 helps .
Thanks ,satisfy my curiosity…

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The full XSS payload is:

    %2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%252f%2558%2553%2553%252f%2529%253c%252f%2573%2563%2572%2569%2570%2574%253e=XSS-ME

    If you perform a single url-decode you get the following:

    %22%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2f%58%53%53%2f%29%3c%2f%73%63%72%69%70%74%3

    If you perform a 2nd URL decode again you get the payload:

    "><script>alert(/XSS/)</script>=XSS-ME

    This is a doulbe-url encoded payload. when %2522 is url-decoded it becomes: %22 because hex-25 is a %, and when it is url decoded again it becomes ".

    • 0