WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

XSS Filter Evasion

From: cAs <writemecas () googlemail com>
Date: Sun, 12 Apr 2009 12:07:55 +0200
Hello everybody,
i recently tested a web application for XSS vulnerabilities. There i found a search function where i did the following: 

Injected String: "test
Source Code Result:

<input autocomplete="off" class="searchbox" type="text" name="searchInclude" id="q" value=""test"/>

"YES!" - i thought, but this "simple" target turned out to be a hard job.
The next thing i did was injecting this:

Injected String: ">test
Source Code Result:

<input autocomplete="off" class="searchbox" type="text" name="searchInclude" id="q" value=""gttest"/>

So the < > get filtered, as well as ().
Is there still a way to close the input tag?

Greetings,
cAs
Previous By Date Next
Previous By Thread Next

Current thread: