Re: XSS question.

[zeno <bugtraq () cgisecurity net>]

If the server escapes everything (example <b>hi</b> becomes \<b\>hi\<\\b\>) 
then you can't xss with the script method. As far as the browser leaving %20
no it won't execute. using + instead of %20 also will not work. If you can manage
to get the xss hole between a <script>  

example

<script>
$variable-vuln-to-xss
</script> 

then it would be possible. Obviously script isn't the only method to call javascript. When
you encode the entire string does it leave it or attempt any type of translation back?

(aka does it simply not translate %20 or does it do this to every character?)


- zeno () cgisecurity com



> Hey I am trying to figure out a way to exploit a webserver that is
> supposedly vulnerable to XSS. The issues are:
> 1. </SCRIPT> gets converted into <\SCRIPT> in the server response.. for
> ScrIPT, etc too..
> 2. img%20src remains img%20src in the response.. (the server does no
> decoding)
>
> so, I am not able to make IE/others execute the javascript embedded in
> there. Is there any other way/ways of invoking javascript in the HTML
> response from the server.. e.g. any other single-worded HTML tag etc that
> can do something like what <img src=javascript:alert("hello")> does.. ?
>
> Thanks!