Apply XSS payload at Directory/File name instead of Parameter

[sn1p3rt3s7]

I have encountered an Content Spoofing in a major website. The website reflects the text inserted after the first fwd slash.
e.g example.com/[dot]content_reflected_on_page
This is reflected on language dropdown section of the page. So I assume the value with dot is considered as a language file.

• example.com/de - displays the page in german, shows de at language dropdown.
• example.com/det - Error page, no reflection
• example.com/anything.visit example.com - displays anything.visit example.com at language dropdown.

However I am not able to break out of the tag. Single, double qoute, gt, lt symbols are encoded before displaying.
Which led me to thinking of trying this on automated tool. But I noticed that the tool allows only injection of payload at parameters.

Solution:

You can use --path to test payload on path, also use --level 1 to set the particular path.
I had to give a custom payload list having dot in each line.
https://github.com/payloadbox/xss-payload-list/blob/master/Intruder/xss-payload-list.txt
sed 's/^/\./' xss-payload-list.txt > xss_payload_dot_added.txt
python3 xsstrike.py -u "https://example.com/" --level 1 --path -f ~/Downloads/xss_payload_dot_added.txt