WebApp Sec mailing list archives
Re: HTTP Response URI XSS but not in 302 Body
From: Tim <tim-security () sentinelchicken org>
Date: Thu, 1 Jul 2004 17:31:51 -0700
Has anyone had an instance where they saw a successful Cross Site Scripting Exploit by receiving a script in a URL response but not in the body of the returned document. For example: HTTP/1.1 302 Moved Temporarily Server: Sun-ONE-Web-Server/6.1 Date: Tue, 29 Jun 2004 00:26:25 GMT Content-type: text/html Location: http://www.website.com/search/tips.jhtml?statusCode=zeroresults&query=hello& searchscope=>"><script>alert('XSS')</script>&userQueryCorrected=hello&_reque stid=10756 Connection: close <HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
I can't think of a situation you could pull off a XSS with this, but if you can inject CR/LF into the reply, then you can put your own headers in (which can be very useful), or forge an entire HTTP reply header. See: http://www.sanctuminc.com/pdf/whitepaper_httpresponse.pdf tim
Current thread:
- HTTP Response URI XSS but not in 302 Body Robert . L . Grill (Jul 01)
- Re: HTTP Response URI XSS but not in 302 Body Tim (Jul 02)
- Re: HTTP Response URI XSS but not in 302 Body Paul Johnston (Jul 02)