Re: XSS question.

[zeno <bugtraq () cgisecurity net>]

> <\script> in the response. When the same response is changed to
> </script>, the script does get executed.
>
> > Obviously script isn't the only method to call
> > javascript.
>
> I am looking for ways other than <script>...</script> and <img
> src=javascript:...> to run javascripts. Any ideas on that?

I was looking but most of the things I could think of involve something along the lines of
<tag value=>

I don't know of anything along the lines of <tag=bla> (without a space)
If anybody does feel free to let me know :p




> > When
> > you encode the entire string does it leave it or attempt any type of
> > translation back?
> >
> > (aka does it simply not translate %20 or does it do this to every
> > character?)
>
> All %xx s are left as they are in the response.. so they become pretty
> much useless..


Yup.


> > - zeno () cgisecurity com
>
> Thanks,
> VAM.
>
> > > Hey I am trying to figure out a way to exploit a webserver that is
> > > supposedly vulnerable to XSS. The issues are:
> > > 1. </SCRIPT> gets converted into <\SCRIPT> in the server response.. for
> > > ScrIPT, etc too..
> > > 2. img%20src remains img%20src in the response.. (the server does no
> > > decoding)
> > >
> > > so, I am not able to make IE/others execute the javascript embedded in
> > > there. Is there any other way/ways of invoking javascript in the HTML
> > > response from the server.. e.g. any other single-worded HTML tag etc that
> > > can do something like what <img src=javascript:alert("hello")> does.. ?
> > >
> > > Thanks!