Vulnerability Development mailing list archives
Re: XSS question.
From: zeno <bugtraq () cgisecurity net>
Date: Thu, 5 Dec 2002 16:49:27 -0500 (EST)
<\script> in the response. When the same response is changed to </script>, the script does get executed.Obviously script isn't the only method to call javascript.I am looking for ways other than <script>...</script> and <img src=javascript:...> to run javascripts. Any ideas on that?
I was looking but most of the things I could think of involve something along the lines of <tag value=> I don't know of anything along the lines of <tag=bla> (without a space) If anybody does feel free to let me know :p
When you encode the entire string does it leave it or attempt any type of translation back? (aka does it simply not translate %20 or does it do this to every character?)All %xx s are left as they are in the response.. so they become pretty much useless..
Yup.
- zeno () cgisecurity comThanks, VAM.Hey I am trying to figure out a way to exploit a webserver that is supposedly vulnerable to XSS. The issues are: 1. </SCRIPT> gets converted into <\SCRIPT> in the server response.. for ScrIPT, etc too.. 2. img%20src remains img%20src in the response.. (the server does no decoding) so, I am not able to make IE/others execute the javascript embedded in there. Is there any other way/ways of invoking javascript in the HTML response from the server.. e.g. any other single-worded HTML tag etc that can do something like what <img src=javascript:alert("hello")> does.. ? Thanks!
Current thread:
- XSS question. VAM (Dec 05)
- Re: XSS question. zeno (Dec 05)
- <Possible follow-ups>
- Re: XSS question. VAM (Dec 05)
- Re: XSS question. zeno (Dec 05)