WebApp Sec mailing list archives
Re: XSS Testing
From: RSnake <rsnake () shocking com>
Date: Sat, 18 Sep 2004 17:03:31 -0700 (PDT)
You already mentioned other types of encoding, but there are quite a few, so I finally wrote a cheatsheat to help with this stuff. http://www.shocking.com/~rsnake/xss.html There is Unicode with and without semicolons, with and without padding of zeros, same with hex, and charachter encoding... On Fri, 17 Sep 2004, PenTest Guy wrote: | Date: Fri, 17 Sep 2004 15:26:11 +0000 | From: PenTest Guy <pentestguy () hotmail com> | To: webappsec () securityfocus com | Subject: XSS Testing | | I'm testing a web application. Previously, I had found XSS using a standard | variant: <scr1pt>al3rt('XSS')</scr1pt> (note used 3 for e and 1 for i as to | not cause any problems). I also URL encoded this same variant and it worked | as well. So I told them how to fix it (filtering out malicious characters, | encoding, etc. on the server side) and it seems fixed now. I was just | curious if there is any other way to manipulate the same variant, such as | other encoding schemes, that might bypass the protections I recommended. | | Thanks. | | _________________________________________________________________ | Don?t just search. Find. Check out the new MSN Search! | http://search.msn.click-url.com/go/onm00200636ave/direct/01/ | -R The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is expressly prohibited and may be unlawful.
Current thread:
- XSS Testing PenTest Guy (Sep 18)
- RE: XSS Testing Mike Andrews (Sep 18)
- Re: XSS Testing RSnake (Sep 18)
- Re: XSS Testing Devdas Bhagat (Sep 20)