WebApp Sec mailing list archives
Re: XSS - Double Quote break out and White Space filtered
From: Marc-André Laverdière <marc-andre () atc tcs com>
Date: Tue, 09 Jun 2009 10:21:25 +0530
You can have a look at the Google Browser Security Handbook: http://code.google.com/p/browsersec/wiki/MainIt may not exactly answer your question, but its a useful reference and could help you get your answer :)
-- Marc-André Laverdière Software Security Scientist Innovation Labs, Tata Consultancy Services Hyderabad, India arvind doraiswamy wrote:
@Portswigger: The <IMG SRC> did work..thnx. @Mugdha: The < and > was blocked. We tried your suggestion, Unicode and that worked too. I'd swear we'd tried that out though :rollseyes. Thanks anyway. @Walid: No I'm not designing the wargame though that may be a nice idea going forward :D. The final bypass hence turns out to be document.write("\u003cimg src=a onerror=alert(1)\u003e") A final question though. How does the browser interpret Unicode and Hex and all that? As in yes..I understand there is intelligence built in to it but how does it decide..Right...This is Unicode. This is URL Encoded. This is Hex..This is normal text. Is it just by the \u \x % ...?? Or is it something deeper. Are there a few good reads? Thanks Arvind
Current thread:
- XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 28)
- RE: XSS - Double Quote break out and White Space filtered PortSwigger (May 28)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 28)
- RE: XSS - Double Quote break out and White Space filtered Jeff Williams (May 28)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 28)
- Re: XSS - Double Quote break out and White Space filtered Florian Weimer (May 31)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 31)
- Re: XSS - Double Quote break out and White Space filtered Florian Weimer (May 31)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (Jun 02)
- Message not available
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (Jun 08)
- Re: XSS - Double Quote break out and White Space filtered Marc-André Laverdière (Jun 08)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 31)
- RE: XSS - Double Quote break out and White Space filtered PortSwigger (May 28)