PaulDotCom mailing list archives

XSS, Command and SQL Injection vectors: Beyond the Form

From: jim.halfpenny at gmail.com (Jim Halfpenny)
Date: Thu, 4 Jun 2009 06:54:39 +0100

Examples include just about anything that reads data. There have been XSS
issues with log monitoring software where log data is not sanitised before
being parsed and displayed. PTK, a web frontend for The Sleuth Kit, had a
arbitrary command execution vulnerability when reading a maliciously crafted
file name on a disk image.

Jim

2009/6/4 Adrian Crenshaw <irongeek at irongeek.com>

We are all familiar with XSS via a form field in a web application, but
what about other vectors? The article talks about using User Agent strings,
even logs, object properties and other odd alternative vectors for XSS, SQL
and command injection.


http://www.irongeek.com/i.php?page=security/xss-sql-and-command-inject-vectors

What other vectors can you think of? Any real world examples?

Adrian

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090604/f2b8e3b0/attachment.htm

Current thread:

XSS, Command and SQL Injection vectors: Beyond the Form Adrian Crenshaw (Jun 03)
- XSS, Command and SQL Injection vectors: Beyond the Form Jim Halfpenny (Jun 03)