WebApp Sec mailing list archives
RE: xxs problem
From: "Michael Silk" <silkm () hushmail com>
Date: Wed, 17 Mar 2004 14:11:07 -0800
Actually, thanks not right. alert(document.cookie) is fine, and also (another poster said) that you required the ";", that should be fine as well. it seems, from your other post: "xss typo" or similar, that your app translated "<" into "& l t ;" which means its not vulnerable to this type of xss however there are other forms that don't require the usage of "<" and ">" (such as accepting an img src from the user, etc) so attempt to remove usage of the "javascript" text also. -----Original Message----- From: Clint Bodungen [mailto:clint () secureconsulting com] Sent: Thursday, 18 March 2004 4:40 AM To: Frank Dobb; webappsec () securityfocus com Subject: Re: xxs problem One type you do have is: alert(document.cookie) Should be: alert('document.cookie')
Tuesday, March 16, 2004 7:35 AM
To all you xxx'ers on this list. I have been testing an application for XXS vulnerabilities. I am very stuck & would appreciate some advice. When I enter the following URL :
http://standard/default.aspx?Mode=<script>alert(document.cookie)</script>&PageView=Shared
I get the <script>alert(document.cookie)</script> text sent back in the reply. I thought this would now be easy - However it does not provoke an alert within the browser. On further analysis, I see the <script>alert(document.cookie)</script> occurs in the middle of a <form> statement. <form name="form1" method="post"
action="default.aspx?Mode=<SCRIPT>alert(document.cookie)</SCRIPT>&PageView=S hared"
id="form1"> you can see that my injected script is in the middle of the action statement which is enclosed in double quotes. I thought I would just need to close this action statement and then close the form. However, when I do this by sending a "> before the injected script
http://standard/default.aspx?Mode="><script>alert(document.cookie)</script>&PageView=Shared
I get the following result : <form name="form1" method="post"
action="default.aspx?Mode="><SCRIPT>alert(document.cookie)</SCRIPT>&PageView =Shared"
id="form1"> You can see that the > passes ok but the " is converted to a " character - which is not interpreted by the browser. So is this a gotcha... or is there a way I can terminate this double-quoted string to get my script to execute? thanks for any advice, regards Frank
Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- xxs problem Frank Dobb (Mar 16)
- Re: xxs problem Clint Bodungen (Mar 17)
- <Possible follow-ups>
- RE: xxs problem Dean Saxe (Mar 16)
- RE: xxs problem Michael Silk (Mar 17)