Vulnerability Development mailing list archives
Re: Can you exploit this XSS?
From: dd <dd () ghettohackers net>
Date: Wed, 19 Nov 2003 13:59:55 -0800
Paul,What you have run into is called attribute encoding. When dealing html tag attributes enclosed inside of quotation marks, the only char that is "required" to encode is ". I usually recommend more robust output encoding.
Given you description, this is not normally exploitable. Depending on the browser it may be possible to trick some browsers into thinking your html is broken by injecting line feeds and starting up new tags.
dd Paul Johnston wrote:
Hi,While auditing a web app, I've found the site redirects not found pages to a login screen. This contains an element like:<input type="hidden" name="tageturl" value="XXX">Now, the XXX bit is controlled by the user, and it seems the only characters escaped are " and & - i.e. <script>alert(document.cookie)</script> gets through (hence my tool alerted me).Can this be exploited for XSS? I can't see how to immediately, but it seems possible.Paul
Current thread:
- Can you exploit this XSS? Paul Johnston (Nov 19)
- Re: Can you exploit this XSS? Robin (Nov 19)
- Re: Can you exploit this XSS? Paul Johnston (Nov 19)
- Re: Can you exploit this XSS? dd (Nov 19)
- Re: Can you exploit this XSS? Sverre H. Huseby (Nov 20)
- Re: Can you exploit this XSS? Paul Johnston (Nov 20)
- Re: Can you exploit this XSS? mark (Nov 25)
- Re: Can you exploit this XSS? Peter Pentchev (Nov 26)
- <Possible follow-ups>
- RE: Can you exploit this XSS? Scovetta, Michael V (Nov 19)
- Re: Can you exploit this XSS? Paul Johnston (Nov 19)
- RE: Can you exploit this XSS? Parity (Nov 24)
- RE: Can you exploit this XSS? Dawes, Rogan (ZA - Johannesburg) (Nov 21)
- Re: Can you exploit this XSS? Sverre H. Huseby (Nov 21)
- Re: Can you exploit this XSS? Robin (Nov 19)