WebApp Sec mailing list archives
Re: xxs problem
From: "Clint Bodungen" <clint () secureconsulting com>
Date: Wed, 17 Mar 2004 11:39:50 -0600
One type you do have is: alert(document.cookie) Should be: alert('document.cookie')
Tuesday, March 16, 2004 7:35 AM
To all you xxx'ers on this list. I have been testing an application for XXS vulnerabilities. I am very stuck & would appreciate some advice. When I enter the following URL :
http://standard/default.aspx?Mode=<script>alert(document.cookie)</script>&PageView=Shared
I get the <script>alert(document.cookie)</script> text sent back in the reply. I thought this would now be easy - However it does not provoke an alert within the browser. On further analysis, I see the <script>alert(document.cookie)</script> occurs in the middle of a <form> statement. <form name="form1" method="post"
action="default.aspx?Mode=<SCRIPT>alert(document.cookie)</SCRIPT>&PageView=S hared"
id="form1"> you can see that my injected script is in the middle of the action statement which is enclosed in double quotes. I thought I would just need to close this action statement and then close the form. However, when I do this by sending a "> before the injected script
http://standard/default.aspx?Mode="><script>alert(document.cookie)</script>&PageView=Shared
I get the following result : <form name="form1" method="post"
action="default.aspx?Mode="><SCRIPT>alert(document.cookie)</SCRIPT>&PageView =Shared"
id="form1"> You can see that the > passes ok but the " is converted to a " character - which is not interpreted by the browser. So is this a gotcha... or is there a way I can terminate this double-quoted string to get my script to execute? thanks for any advice, regards Frank
Current thread:
- xxs problem Frank Dobb (Mar 16)
- Re: xxs problem Clint Bodungen (Mar 17)
- <Possible follow-ups>
- RE: xxs problem Dean Saxe (Mar 16)
- RE: xxs problem Michael Silk (Mar 17)