WebApp Sec mailing list archives
Re: XSS - Double Quote break out and White Space filtered
From: Florian Weimer <fw () deneb enyo de>
Date: Fri, 29 May 2009 20:42:24 +0200
* arvind doraiswamy:
Problem 1: Here's what is allowed: ( ) : ; &
Is "=" allowed as well? Without that, it's going to be difficult, I think. With =, you can use an onmouseover event handler and a style attribute to enlarge the input field and make it transparent (so that the event handler actually fires). Both can be &-encoded to bypass the filter. This will work in any browser; direct script injection into style attributes is quite browser-specific.
Current thread:
- XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 28)
- RE: XSS - Double Quote break out and White Space filtered PortSwigger (May 28)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 28)
- RE: XSS - Double Quote break out and White Space filtered Jeff Williams (May 28)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 28)
- Re: XSS - Double Quote break out and White Space filtered Florian Weimer (May 31)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 31)
- Re: XSS - Double Quote break out and White Space filtered Florian Weimer (May 31)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (Jun 02)
- Message not available
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (Jun 08)
- Re: XSS - Double Quote break out and White Space filtered Marc-André Laverdière (Jun 08)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 31)
- RE: XSS - Double Quote break out and White Space filtered PortSwigger (May 28)