WebApp Sec mailing list archives
HTTP Response URI XSS but not in 302 Body
From: Robert.L.Grill () wellsfargo com
Date: Thu, 1 Jul 2004 12:24:37 -0700
Has anyone had an instance where they saw a successful Cross Site Scripting Exploit by receiving a script in a URL response but not in the body of the returned document. For example: HTTP/1.1 302 Moved Temporarily Server: Sun-ONE-Web-Server/6.1 Date: Tue, 29 Jun 2004 00:26:25 GMT Content-type: text/html Location: http://www.website.com/search/tips.jhtml?statusCode=zeroresults&query=hello& searchscope=>"><script>alert('XSS')</script>&userQueryCorrected=hello&_reque stid=10756 Connection: close <HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY> Thanks, Bob
Current thread:
- HTTP Response URI XSS but not in 302 Body Robert . L . Grill (Jul 01)
- Re: HTTP Response URI XSS but not in 302 Body Tim (Jul 02)
- Re: HTTP Response URI XSS but not in 302 Body Paul Johnston (Jul 02)