WebApp Sec mailing list archives

RE: xxs problem

From: "Michael Silk" <silkm () hushmail com>
Date: Wed, 17 Mar 2004 14:11:07 -0800

Actually, thanks not right.

alert(document.cookie) is fine, and also
(another poster said) that you required
the ";", that should be fine as well.

it seems, from your other post: "xss typo"
or similar, that your app translated "<"
into "& l t ;" which means its not vulnerable
to this type of xss

however there are other forms that don't require
the usage of "<" and ">" (such as accepting an
img src from the user, etc) so attempt to remove
usage of the "javascript" text also.


-----Original Message-----
From: Clint Bodungen [mailto:clint () secureconsulting com]
Sent: Thursday, 18 March 2004 4:40 AM
To: Frank Dobb; webappsec () securityfocus com
Subject: Re: xxs problem


One type you do have is:    alert(document.cookie)

Should be:    alert('document.cookie')

Tuesday, March 16, 2004 7:35 AM

To all you xxx'ers on this list.

I have been testing an application for XXS
vulnerabilities. I am very stuck & would appreciate
some advice.

When I enter the following URL :

http://standard/default.aspx?Mode=<script>alert(document.cookie)</script>&PageView=Shared


I get the <script>alert(document.cookie)</script> text
sent back in the reply. I thought this would now be
easy - However it does not provoke an alert within the
browser.

On further analysis, I see the
<script>alert(document.cookie)</script> occurs in the
middle of a <form> statement.


<form name="form1" method="post"

action="default.aspx?Mode=<SCRIPT>alert(document.cookie)</SCRIPT>&PageView=S
hared"

id="form1">

you can see that my injected script is in the middle
of the action statement which is enclosed in double
quotes.

I thought I would just need to close this action
statement and then close the form. However, when I do
this by
sending a "> before the injected script

http://standard/default.aspx?Mode=";><script>alert(document.cookie)</script>&PageView=Shared



I get the following result :


<form name="form1" method="post"

action="default.aspx?Mode="><SCRIPT>alert(document.cookie)</SCRIPT>&PageView
=Shared"

id="form1">


You can see that the > passes ok but the " is
converted to a " character - which is not interpreted
by the browser.

So is this a gotcha... or is there a way I can
terminate this double-quoted string to get my script
to execute?

thanks for any advice,

regards Frank




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Current thread:

xxs problem Frank Dobb (Mar 16)
- Re: xxs problem Clint Bodungen (Mar 17)
- <Possible follow-ups>
- RE: xxs problem Dean Saxe (Mar 16)
- RE: xxs problem Michael Silk (Mar 17)