Hello everyone, I found some weird HTML code injection in an IIS error message. IIS spits out some part of the user input that generated the error message, but will only display 20 characters at most. My question is: is it possible to actually exploit an XSS with this ? Here is an example: HTTP Request: mypage?search=%3cb%20onclick%3dalert(1)>%3e HTTP Response (real):

An error has occured.

Exception HttpRequestValidationException occurred while attempting mypage

Exception message is: A potentially dangerous Request.QueryString value was detected from the client (search="...").

Stack trace:

Server stack trace:
[..]

My payload was: > and it works (after clicking).
However, can this actually be exploited in real life ? I tried stuff in 20
characters like:  or  but no luck.
Has anyone ever tried this before ?

Thanks,

P.S. This might be a silly question with an obvious answer. If so, I'd be
grateful to have some extra information (links, docs etc.).