Full Disclosure mailing list archives
Re: [WEB SECURITY] Useful technique when performing XSS
From: "pdp (architect)" <pdp.gnucitizen () googlemail com>
Date: Wed, 7 Feb 2007 21:09:33 +0000
Hei Amit, On 2/7/07, Amit Klein <aksecurity () gmail com> wrote:
pdp (architect) wrote:Amit, :) This is not about who did it first.Agreed. But it would be nice to receive the credit ;-)
Sorry man. I knew that you have discussed this before I would definitely give you the credits. :)
BTW, your example is broken. location.search does not include the fragment identifier.Guilty as charged. I remember working directly with document.location (which includes the hostname and path) when I investigated the issue, then when I wrote my text I decided that a more elegant way would be with the ".search" property, but I failed to verify that it actually works. Thanks for pointing this out, and here's the formal errata: In http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html, the example should be: http://target.site/vulnscript.cgi?injectme= <http://target.site/vulnscript.cgi?injectme=><script>eval(document.location.substr(...[fill in the offset here]...))</script>#...JS payload here... Thanks to "pdp (architect)" for pointing this out. Regardns, -AmitCheers On 2/7/07, Amit Klein <aksecurity () gmail com> wrote:pdp (architect) wrote:http://www.gnucitizen.org/blog/playing-in-large Basically this article is about how to squeeze more data into size restricted, unsanitized field. This technique can also be used to hide attackers activities.It seems that you've stumbled upon something I already disclosed: http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html Sorry... -Amit
-- pdp (architect) | petko d. petkov http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Useful technique when performing XSS pdp (architect) (Feb 07)
- Re: [WEB SECURITY] Useful technique when performing XSS Amit Klein (Feb 07)
- Re: [WEB SECURITY] Useful technique when performing XSS pdp (architect) (Feb 07)
- Re: [WEB SECURITY] Useful technique when performing XSS Amit Klein (Feb 07)
- Re: [WEB SECURITY] Useful technique when performing XSS pdp (architect) (Feb 07)
- Re: [WEB SECURITY] Useful technique when performing XSS Amit Klein (Feb 07)
- Re: [WEB SECURITY] Useful technique when performing XSS pdp (architect) (Feb 07)
- Re: [WEB SECURITY] Useful technique when performing XSS Amit Klein (Feb 07)