Full Disclosure mailing list archives
Re: [WEB SECURITY] Useful technique when performing XSS
From: Amit Klein <aksecurity () gmail com>
Date: Wed, 07 Feb 2007 23:07:05 +0200
pdp (architect) wrote:
Amit, :) This is not about who did it first.
Agreed. But it would be nice to receive the credit ;-)
BTW, your example is broken. location.search does not include the fragment identifier.
Guilty as charged. I remember working directly with document.location (which includes the hostname and path) when I investigated the issue, then when I wrote my text I decided that a more elegant way would be with the ".search" property, but I failed to verify that it actually works. Thanks for pointing this out, and here's the formal errata: In http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html, the example should be: http://target.site/vulnscript.cgi?injectme= <http://target.site/vulnscript.cgi?injectme=><script>eval(document.location.substr(...[fill in the offset here]...))</script>#...JS payload here... Thanks to "pdp (architect)" for pointing this out. Regardns, -Amit
Cheers On 2/7/07, Amit Klein <aksecurity () gmail com> wrote:pdp (architect) wrote:http://www.gnucitizen.org/blog/playing-in-large Basically this article is about how to squeeze more data into size restricted, unsanitized field. This technique can also be used to hide attackers activities.It seems that you've stumbled upon something I already disclosed: http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html Sorry... -Amit
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Useful technique when performing XSS pdp (architect) (Feb 07)
- Re: [WEB SECURITY] Useful technique when performing XSS Amit Klein (Feb 07)
- Re: [WEB SECURITY] Useful technique when performing XSS pdp (architect) (Feb 07)
- Re: [WEB SECURITY] Useful technique when performing XSS Amit Klein (Feb 07)
- Re: [WEB SECURITY] Useful technique when performing XSS pdp (architect) (Feb 07)
- Re: [WEB SECURITY] Useful technique when performing XSS Amit Klein (Feb 07)
- Re: [WEB SECURITY] Useful technique when performing XSS pdp (architect) (Feb 07)
- Re: [WEB SECURITY] Useful technique when performing XSS Amit Klein (Feb 07)