"--></style></ script >< script > alert ("XSS ")</ script >
When ending the previous style and script element it was possible to add a new script element and executing the Payload, the complete URL looks like this now :
This one only worked in Firefox, Chrome and IE restricted the execution with the anti XSS feature.
The Bug was categorized as „Out of Scope“ for whatever reason.
Hope you enjoyed, if you have any question left, please don’t hesitate to contact me at patrik.fehrenbach(at)it-securityguard.com