I am trying to learn basics of web security vulnerabilities.
I have found a website, where on reset password, you get a link in the email with a token, and when you click this link, the webpage opens and the url is reflected in a form action. Something like this:
password reset url:
and this is how it is reflected:
<form action="https://target.com/toekn=q123sefgetrt3dfe" method="post">
Based on this, i am trying to figure out if this can lead to reflected XSS. So in the url i tried something like this:
so that the form tag is closed, and a script is inserted inside the form.
This reflects in the form action, but with url encoded, so quotes are turned to %22 and angular brackets to %3E.
Does this mean that reflected xss can’t be achieved here? is the browser encoding this , or the web page itself must be encoding this ? is there a way to bypass to see if there is a vulnerability?