WebApp Sec mailing list archives
Re: HTTP Response URI XSS but not in 302 Body
From: Paul Johnston <paul () westpoint ltd uk>
Date: Fri, 02 Jul 2004 09:48:42 +0100
Hi,That's a false positive from your testing tool. Side note: a while back I submitted patches for Nessus to prevent this kind of false positive. XSS plugins now only look at the response body, not header.
However, if you are able to inject line breaks into the URL then you will be able to muck about with headers and that is a vulnerability.
Regards, Paul Robert.L.Grill () wellsfargo com wrote:
Has anyone had an instance where they saw a successful Cross Site Scripting Exploit by receiving a script in a URL response but not in the body of the returned document.
-- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk
Current thread:
- HTTP Response URI XSS but not in 302 Body Robert . L . Grill (Jul 01)
- Re: HTTP Response URI XSS but not in 302 Body Tim (Jul 02)
- Re: HTTP Response URI XSS but not in 302 Body Paul Johnston (Jul 02)