WebApp Sec mailing list archives
XSS Filter Evasion
From: cAs <writemecas () googlemail com>
Date: Sun, 12 Apr 2009 12:07:55 +0200
Hello everybody,i recently tested a web application for XSS vulnerabilities. There i found a search function where i did the following:
Injected String: "test Source Code Result: <input autocomplete="off" class="searchbox" type="text" name="searchInclude" id="q" value=""test"/> "YES!" - i thought, but this "simple" target turned out to be a hard job. The next thing i did was injecting this: Injected String: ">test Source Code Result: <input autocomplete="off" class="searchbox" type="text" name="searchInclude" id="q" value=""gttest"/> So the < > get filtered, as well as (). Is there still a way to close the input tag? Greetings, cAs
Current thread:
- XSS Filter Evasion cAs (Apr 13)
- Re: XSS Filter Evasion Wil Clouser (Apr 13)