WebApp Sec mailing list archives

Re: Execution of Javascript from PERL

From: Martin Eiszner <martin () websec org>
Date: Thu, 17 Apr 2003 17:15:34 +0200


hola,

On Thu, 17 Apr 2003 10:52:45 -0400
"Brass, Phil (ISS Atlanta)" <PBrass () iss net> wrote:

**********

The real problem is not getting the JavaScript in the page to execute,
it's getting it to execute in a meaningful context

**********


from the security-testing point of view its not necessary to execute any script .. because:
 
IF input 
        "<script>thingstodo();</script>"
LEADS TO output 
        "<script>thingstodo();</script>"

the application is definitively vulnerable !!! 


and it is a confuguration-issue to check for all "known" and "unknown" script-tags and -objects !!




nice day, 
mEi


-- 
WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna
Austria / EUROPE

mei () websec org
http://www.websec.org
tel: 0043 699 121772 37

Current thread:

Execution of Javascript from PERL EEshwar (Apr 17)
- Re: Execution of Javascript from PERL Alex Russell (Apr 17)
- <Possible follow-ups>
- RE: Execution of Javascript from PERL Brass, Phil (ISS Atlanta) (Apr 17)
  - Re: Execution of Javascript from PERL Martin Eiszner (Apr 17)