Re: XSS - Double Quote break out and White Space filtered

[arvind doraiswamy <arvind.doraiswamy () gmail com>]

Ha Ha no, its not homework at all; those days are gone. I edited the
code a little before I posted. Its actually a Level in a wargame
targeted only at XSS. Doing that is a nice way to improve skill. Yes I
understand I have to target document.write() but it outputs everything
back into double quotes, so how do I do it? Thnx anyway...

Arvind

On Sun, May 31, 2009 at 8:25 PM, Florian Weimer <fw () deneb enyo de> wrote:
> * arvind doraiswamy:
>
> > Here's a snapshot of the related code:
> >
> > <form action="blahblah.php" method="post">
> > document.write: <input type="text" name="p1" size="60" value="ggggg">
> > <input type="submit" value="reflect">
> > <pre><script>document.write("gggggg");</script></pre>
> > </form>
>
> Is this some sort of homework?
>
> > So as you see all reflection points are in double quotes and all key
> > characters are blocked off as mentioned earlier.
> >
> > An input in the text box of: < > : ; " ' ` = ( ) / \ * is reflected back as:
> > &lt; &gt; : ; &quot; &#039; ` = ( ) / \ *
>
> You need to target the document.write() call.