WebApp Sec mailing list archives
Re: CSS before redirect
From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: Mon, 8 Sep 2003 09:20:26 -0700
In the course of hunting down cross-site scripting, one is bound to find what I have loosely referred to as "unusable" XSS (bad name). As most are familiar, XSS is very browser dependent.Specifically in this case, your browser is likely not interpreting the HTML on a 302 response code. Why would it need to anyway. So, as much as this IS an XSS issue, it poses no risk to the browser you are using. Perhaps another browser would be.
The standard fix could be suggested just the same however, just in case. Another "unusable" example would be HTML returning in unused response headers. Hope this helps. On Monday, September 8, 2003, at 08:32 AM, Stephen de Vries wrote:
Hi all,I'm looking at an application that seems to be vulnerable to CSS attack,however, the browser keeps following the redirect before running the script. The request: GET /includes?"></a><script>alert('hello')</script> HTTP/1.1 Results in the following response: HTTP/1.1 302 Object Moved Location: https://somwhereelse.com Server: Microsoft-IIS/4.0 Content-Type: text/html Content-Length: 123 <head><title>Document Moved</title></head> <body><h1>Object Moved</h1>This document may be found <aHREF="https://somewhereelse.com/includes/?"></ a><script>alert('hello')</script>">here</a>The CSS injection looks as though it should work, if the browser just displayed that page, but instead it acts on the redirect immediately before displaying the page. This happens in both Mozilla 1.4 and IE 6.Do you think this represents a security risk ? Do older browsers behavein the same way ? Is it possible to turn this behaviour off ? Does cologne make the man ? cheers, Stephen
Jeremiah Grossman Chief Executive Officer WhiteHat Security, Inc. Tel: 408.492.1817 =========================================================== This message and any files transmitted with it, may contain confidential and privileged information. This message is intended solely for the use of the individual or entity to whom it is addressed. If the message has been sent to you in error, please reply to inform the sender of the error and then delete this message. You are notified that reliance on, disclosure of, distribution or copying of this message is prohibited. WhiteHat Security, Inc. ===========================================================
Current thread:
- CSS before redirect Stephen de Vries (Sep 08)
- Re: CSS before redirect Jeremiah Grossman (Sep 08)
- Re: CSS before redirect Marc Slemko (Sep 08)
- RE: CSS before redirect Thomas Schreiber (Sep 09)
- Re: CSS before redirect Jeremiah Grossman (Sep 08)