WebApp Sec mailing list archives
Re: CSS before redirect
From: Marc Slemko <marcs () znep com>
Date: Mon, 8 Sep 2003 14:10:44 -0700 (PDT)
On Mon, 8 Sep 2003, Jeremiah Grossman wrote:
In the course of hunting down cross-site scripting, one is bound to find what I have loosely referred to as "unusable" XSS (bad name). As most are familiar, XSS is very browser dependent. Specifically in this case, your browser is likely not interpreting the HTML on a 302 response code. Why would it need to anyway. So, as much as this IS an XSS issue, it poses no risk to the browser you are using. Perhaps another browser would be. The standard fix could be suggested just the same however, just in case.
Yes, the browser generally won't intepret it ...unless you can control the entire target of the redirect, in which case you may be able to get the browser to stop trying to follow the redirect and just display the content of the page by either having the redirect point to the same URL that is issuing it, or have a loop of redirects that end up back at the same URL at the same time the browser runs into its maximum-number-of-redirects limit. Yes, definitely browser specific.
Current thread:
- CSS before redirect Stephen de Vries (Sep 08)
- Re: CSS before redirect Jeremiah Grossman (Sep 08)
- Re: CSS before redirect Marc Slemko (Sep 08)
- RE: CSS before redirect Thomas Schreiber (Sep 09)
- Re: CSS before redirect Jeremiah Grossman (Sep 08)