Vulnerability Development mailing list archives
Re: 5 char XSS?
From: kuza55 <kuza55 () gmail com>
Date: Mon, 28 Apr 2008 23:25:04 -0700
While this doesn't seem to apply to this particular bug, usually if you have a short unfiltered injection then your best bet is to look for a filtered injection later in the page and do a fragmentation attack in 5 chars like this: (the </b=" is your unfiltered injection; if they use " for quotes, you would use </b=' instead; if they use both ' and " you could use </b=` but that would only work in IE) <html> <body> <b/=" test" onmouseover=alert(1) some other junk which is already on the page including another tag such as a <div>div</div> </body> </html> You'd probably want to use a style attribute with your filtered injection rather than event handler but I'm sure you don't need my help for that. - kuza55 2008/4/26 Kristian Erik Hermansen <kristian.hermansen () gmail com>:
Yes, you make a good point :-). However, the purpose of the email was that we can't inject anything useful in 5 chars, so the XSS I posted merely corrupts the page a little, and does not execute any scripts on you. Honest! Go click the links and see ... Hehe On 4/26/08, Serg B <sergeslists () gmail com> wrote: > Am I the only one who sees the irony of an XSS related email/question > and example URLs to click? Heh. > > Serg > > > On Thu, Apr 24, 2008 at 9:36 AM, Kristian Erik Hermansen > <kristian.hermansen () gmail com> wrote: > > Just been noticing all the talk about Obama and Clinton sites and how > > the media keeps making a big deal out of all these XSS vulns, heh. > > However, I have a rather technical question about what, if anything, > > you can do when you have such a small buffer to exploit XSS? Check > > out this one I found and is not listed by xssed.com for > > hillaryclinton.com. You only get 5 chars to inject. So, are there > > any tricks that could possibly be used to expand the limitation via > > perhaps some unicode kung-fu here? Dunno, but thought it might be > > insteresting bring up because this is a common scenario in zip code > > search fields. The fix for Clinton is as simple as whitelisting the > > input field set to [0-9]... > > > > > http://www.hillaryclinton.com/actioncenter/event/?mt=0&d=250&z=%22%3EXSS&s=z&EventSearchAndResults%3A_ctl0.x=0&EventSearchAndResults%3A_ctl0.y=0 > > > > Regards, > > -- > > Kristian Erik Hermansen > > -- > > "Clever ones don't want the future told. They make it." > > > -- Sent from Gmail for mobile | mobile.google.com Kristian Erik Hermansen -- "Clever ones don't want the future told. They make it."
Current thread:
- 5 char XSS? Kristian Erik Hermansen (Apr 24)
- Re: 5 char XSS? Serg B (Apr 28)
- Re: 5 char XSS? Kristian Erik Hermansen (Apr 28)
- Re: 5 char XSS? kuza55 (Apr 29)
- Re: 5 char XSS? Kristian Erik Hermansen (Apr 28)
- Re: 5 char XSS? Serg B (Apr 28)