Vulnerability Development mailing list archives
Re: Can you exploit this XSS?
From: Paul Johnston <paul () westpoint ltd uk>
Date: Thu, 20 Nov 2003 10:00:08 +0000
Hi,
Given you description, this is not normally exploitable. Depending on the browser it may be possible to trick some browsers into thinking your html is broken by injecting line feeds and starting up new tags.
Thanks for the info. I did some tests, and it turns out latest IE and Netscape execute the javascript in this example (note the missing ")
<input type="hidden" name="targeturl" value="xyz><script>alert('hello')</script>
So, this would be relatively easy to exploit, but the web app sensibly uses the strict dtd:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
And so it really is not exploitable in this situation. PaulP.S. Thanks to Mike Brownbill for pointing out that this is "minimal risk as stealing cookies from users which aren't logged in is quite simply futile" !!!
-- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk
Current thread:
- Can you exploit this XSS? Paul Johnston (Nov 19)
- Re: Can you exploit this XSS? Robin (Nov 19)
- Re: Can you exploit this XSS? Paul Johnston (Nov 19)
- Re: Can you exploit this XSS? dd (Nov 19)
- Re: Can you exploit this XSS? Sverre H. Huseby (Nov 20)
- Re: Can you exploit this XSS? Paul Johnston (Nov 20)
- Re: Can you exploit this XSS? mark (Nov 25)
- Re: Can you exploit this XSS? Peter Pentchev (Nov 26)
- <Possible follow-ups>
- RE: Can you exploit this XSS? Scovetta, Michael V (Nov 19)
- Re: Can you exploit this XSS? Paul Johnston (Nov 19)
- RE: Can you exploit this XSS? Parity (Nov 24)
- RE: Can you exploit this XSS? Dawes, Rogan (ZA - Johannesburg) (Nov 21)
- Re: Can you exploit this XSS? Sverre H. Huseby (Nov 21)
- Re: Can you exploit this XSS? Robin (Nov 19)