Vulnerability Development mailing list archives
Re: 5 char XSS?
From: "Kristian Erik Hermansen" <kristian.hermansen () gmail com>
Date: Sat, 26 Apr 2008 10:02:06 -0700
Yes, you make a good point :-). However, the purpose of the email was that we can't inject anything useful in 5 chars, so the XSS I posted merely corrupts the page a little, and does not execute any scripts on you. Honest! Go click the links and see ... Hehe On 4/26/08, Serg B <sergeslists () gmail com> wrote:
Am I the only one who sees the irony of an XSS related email/question and example URLs to click? Heh. Serg On Thu, Apr 24, 2008 at 9:36 AM, Kristian Erik Hermansen <kristian.hermansen () gmail com> wrote:Just been noticing all the talk about Obama and Clinton sites and how the media keeps making a big deal out of all these XSS vulns, heh. However, I have a rather technical question about what, if anything, you can do when you have such a small buffer to exploit XSS? Check out this one I found and is not listed by xssed.com for hillaryclinton.com. You only get 5 chars to inject. So, are there any tricks that could possibly be used to expand the limitation via perhaps some unicode kung-fu here? Dunno, but thought it might be insteresting bring up because this is a common scenario in zip code search fields. The fix for Clinton is as simple as whitelisting the input field set to [0-9]...http://www.hillaryclinton.com/actioncenter/event/?mt=0&d=250&z=%22%3EXSS&s=z&EventSearchAndResults%3A_ctl0.x=0&EventSearchAndResults%3A_ctl0.y=0Regards, -- Kristian Erik Hermansen -- "Clever ones don't want the future told. They make it."
-- Sent from Gmail for mobile | mobile.google.com Kristian Erik Hermansen -- "Clever ones don't want the future told. They make it."
Current thread:
- 5 char XSS? Kristian Erik Hermansen (Apr 24)
- Re: 5 char XSS? Serg B (Apr 28)
- Re: 5 char XSS? Kristian Erik Hermansen (Apr 28)
- Re: 5 char XSS? kuza55 (Apr 29)
- Re: 5 char XSS? Kristian Erik Hermansen (Apr 28)
- Re: 5 char XSS? Serg B (Apr 28)