Re: Can you exploit this XSS?

[Paul Johnston <paul () westpoint ltd uk>]

Hi Robin,

There is a twist to this you have missed - the user controlled input 
comes INSIDE the quote marks, and quote characters are escaped. So 
there's no immediately obvious way to get script into the page, although 
I imagine it is possible.

http://xyz/sdfdsf.htm<script>alert("hello")</script>

The output now includes:

<input type="hidden" name="targeturl" 
value="sdfdsf.htm<script>alert(&quot;hello&quot;)</script>">

Paul




Robin wrote:

> Just by virtue of being able to get script into the page it can be 
> exploited. What can be gained from the exploit is dependant on what 
> the app/site does.
>
> XSS is commonly used to collect session id's so an attacker could 
> gather those using this weakness.
>
> Robin
>
> Paul Johnston wrote:
>
> > Hi,
> >
> > While auditing a web app, I've found the site redirects not found 
> > pages to a login screen. This contains an element like:
> >
> > <input type="hidden"  name="tageturl" value="XXX">
> >
> > Now, the XXX bit is controlled by the user, and it seems the only 
> > characters escaped are " and & - i.e. 
> > <script>alert(document.cookie)</script> gets through (hence my tool 
> > alerted me).
> >
> > Can this be exploited for XSS? I can't see how to immediately, but it 
> > seems possible.
> >
> > Paul

--
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk