Vulnerability Development mailing list archives

Re: Can you exploit this XSS?

From: Paul Johnston <paul () westpoint ltd uk>
Date: Thu, 20 Nov 2003 10:00:08 +0000

Hi,

Given you description, this is not normally exploitable. Depending onthe browser it may be possible to trick some browsers into thinkingyour html is broken by injecting line feeds and starting up new tags.

Thanks for the info. I did some tests, and it turns out latest IE andNetscape execute the javascript in this example (note the missing ")

<input type="hidden" name="targeturl"value="xyz><script>alert('hello')</script>

So, this would be relatively easy to exploit, but the web app sensiblyuses the strict dtd:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>


And so it really is not exploitable in this situation.

Paul

P.S. Thanks to Mike Brownbill for pointing out that this is "minimalrisk as stealing cookies from users which aren't logged in is quitesimply futile" !!!


--
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk

Current thread:

Can you exploit this XSS? Paul Johnston (Nov 19)
- Re: Can you exploit this XSS? Robin (Nov 19)
  - Re: Can you exploit this XSS? Paul Johnston (Nov 19)
- Re: Can you exploit this XSS? dd (Nov 19)
  - Re: Can you exploit this XSS? Sverre H. Huseby (Nov 20)
  - Re: Can you exploit this XSS? Paul Johnston (Nov 20)
- Re: Can you exploit this XSS? mark (Nov 25)
  - Re: Can you exploit this XSS? Peter Pentchev (Nov 26)
- <Possible follow-ups>
- RE: Can you exploit this XSS? Scovetta, Michael V (Nov 19)
  - Re: Can you exploit this XSS? Paul Johnston (Nov 19)
  - RE: Can you exploit this XSS? Parity (Nov 24)
- RE: Can you exploit this XSS? Dawes, Rogan (ZA - Johannesburg) (Nov 21)
  - Re: Can you exploit this XSS? Sverre H. Huseby (Nov 21)