WebApp Sec mailing list archives
xxs problem
From: Frank Dobb <nyon1261 () yahoo com>
Date: Tue, 16 Mar 2004 05:35:20 -0800 (PST)
To all you xxx'ers on this list. I have been testing an application for XXS vulnerabilities. I am very stuck & would appreciate some advice. When I enter the following URL : http://standard/default.aspx?Mode=<script>alert(document.cookie)</script>&PageView=Shared I get the <script>alert(document.cookie)</script> text sent back in the reply. I thought this would now be easy - However it does not provoke an alert within the browser. On further analysis, I see the <script>alert(document.cookie)</script> occurs in the middle of a <form> statement. <form name="form1" method="post" action="default.aspx?Mode=<SCRIPT>alert(document.cookie)</SCRIPT>&PageView=Shared" id="form1"> you can see that my injected script is in the middle of the action statement which is enclosed in double quotes. I thought I would just need to close this action statement and then close the form. However, when I do this by sending a "> before the injected script http://standard/default.aspx?Mode="><script>alert(document.cookie)</script>&PageView=Shared I get the following result : <form name="form1" method="post" action="default.aspx?Mode="><SCRIPT>alert(document.cookie)</SCRIPT>&PageView=Shared" id="form1"> You can see that the > passes ok but the " is converted to a " character - which is not interpreted by the browser. So is this a gotcha... or is there a way I can terminate this double-quoted string to get my script to execute? thanks for any advice, regards Frank __________________________________ Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam http://mail.yahoo.com
Current thread:
- xxs problem Frank Dobb (Mar 16)
- Re: xxs problem Clint Bodungen (Mar 17)
- <Possible follow-ups>
- RE: xxs problem Dean Saxe (Mar 16)
- RE: xxs problem Michael Silk (Mar 17)