PaulDotCom mailing list archives
XSS, Command and SQL Injection vectors: Beyond the Form
From: jim.halfpenny at gmail.com (Jim Halfpenny)
Date: Thu, 4 Jun 2009 06:54:39 +0100
Examples include just about anything that reads data. There have been XSS issues with log monitoring software where log data is not sanitised before being parsed and displayed. PTK, a web frontend for The Sleuth Kit, had a arbitrary command execution vulnerability when reading a maliciously crafted file name on a disk image. Jim 2009/6/4 Adrian Crenshaw <irongeek at irongeek.com>
We are all familiar with XSS via a form field in a web application, but what about other vectors? The article talks about using User Agent strings, even logs, object properties and other odd alternative vectors for XSS, SQL and command injection. http://www.irongeek.com/i.php?page=security/xss-sql-and-command-inject-vectors What other vectors can you think of? Any real world examples? Adrian _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090604/f2b8e3b0/attachment.htm
Current thread:
- XSS, Command and SQL Injection vectors: Beyond the Form Adrian Crenshaw (Jun 03)
- XSS, Command and SQL Injection vectors: Beyond the Form Jim Halfpenny (Jun 03)