WebApp Sec mailing list archives

Re: XSS Testing

From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Tue, 21 Sep 2004 00:18:35 +0530

On 17/09/04 15:26 +0000, PenTest Guy wrote:

I'm testing a web application.  Previously, I had found XSS using a standard 
variant: <scr1pt>al3rt('XSS')</scr1pt> (note used 3 for e and 1 for i as to 
not cause any problems).  I also URL encoded this same variant and it worked 
as well.  So I told them how to fix it (filtering out malicious characters, 
encoding, etc. on the server side) and it seems fixed now.  I was just 
curious if there is any other way to manipulate the same variant, such as 
other encoding schemes, that might bypass the protections I recommended.


Oh, lots. Why not do the right thing and block by default? Have a set of
valid character sets, and allow only a limited set of valid characters
in there?

Devdas Bhagat

Current thread:

XSS Testing PenTest Guy (Sep 18)
- RE: XSS Testing Mike Andrews (Sep 18)
- Re: XSS Testing RSnake (Sep 18)
- Re: XSS Testing Devdas Bhagat (Sep 20)