WebApp Sec mailing list archives
Re: XSS Testing
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Tue, 21 Sep 2004 00:18:35 +0530
On 17/09/04 15:26 +0000, PenTest Guy wrote:
I'm testing a web application. Previously, I had found XSS using a standard variant: <scr1pt>al3rt('XSS')</scr1pt> (note used 3 for e and 1 for i as to not cause any problems). I also URL encoded this same variant and it worked as well. So I told them how to fix it (filtering out malicious characters, encoding, etc. on the server side) and it seems fixed now. I was just curious if there is any other way to manipulate the same variant, such as other encoding schemes, that might bypass the protections I recommended.
Oh, lots. Why not do the right thing and block by default? Have a set of valid character sets, and allow only a limited set of valid characters in there? Devdas Bhagat
Current thread:
- XSS Testing PenTest Guy (Sep 18)
- RE: XSS Testing Mike Andrews (Sep 18)
- Re: XSS Testing RSnake (Sep 18)
- Re: XSS Testing Devdas Bhagat (Sep 20)