WebApp Sec mailing list archives

Re: HTTP Response URI XSS but not in 302 Body

From: Tim <tim-security () sentinelchicken org>
Date: Thu, 1 Jul 2004 17:31:51 -0700

Has anyone had an instance where they saw a successful Cross Site Scripting
Exploit by receiving a script in a URL response but not in the body of the
returned document.

For example:

HTTP/1.1 302 Moved Temporarily
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 29 Jun 2004 00:26:25 GMT
Content-type: text/html
Location:
http://www.website.com/search/tips.jhtml?statusCode=zeroresults&query=hello&;
searchscope=>"><script>alert('XSS')</script>&userQueryCorrected=hello&_reque
stid=10756
Connection: close

<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD>
<H1>302 Moved Temporarily</H1><BODY>
</BODY>


I can't think of a situation you could pull off a XSS with this, but if
you can inject CR/LF into the reply, then you can put your own headers
in (which can be very useful), or forge an entire HTTP reply header.
See: http://www.sanctuminc.com/pdf/whitepaper_httpresponse.pdf

tim

Current thread:

HTTP Response URI XSS but not in 302 Body Robert . L . Grill (Jul 01)
- Re: HTTP Response URI XSS but not in 302 Body Tim (Jul 02)
- Re: HTTP Response URI XSS but not in 302 Body Paul Johnston (Jul 02)