WebApp Sec mailing list archives

RE: xxs problem

From: Dean Saxe <Dean.Saxe () DigitalInsight com>
Date: Tue, 16 Mar 2004 10:44:53 -0500

Your script requires a semicolon at the end to run.  If you use Netscape
check the Javascript debugger and it should report an error with your
script.


-dhs

-----Original Message-----
From: Frank Dobb [mailto:nyon1261 () yahoo com]
Sent: Tuesday, March 16, 2004 8:35 AM
To: webappsec () securityfocus com
Subject: xxs problem


To all you xxx'ers on this list.

I have been testing an application for XXS
vulnerabilities. I am very stuck & would appreciate
some advice.

When I enter the following URL :

http://standard/default.aspx?Mode=<script>alert(document.cookie)</script>&Pa
geView=Shared

I get the <script>alert(document.cookie)</script> text
sent back in the reply. I thought this would now be
easy - However it does not provoke an alert within the
browser.

On further analysis, I see the
<script>alert(document.cookie)</script> occurs in the
middle of a <form> statement.


<form name="form1" method="post"
action="default.aspx?Mode=<SCRIPT>alert(document.cookie)</SCRIPT>&PageView=S
hared"
id="form1">

you can see that my injected script is in the middle
of the action statement which is enclosed in double
quotes.

I thought I would just need to close this action
statement and then close the form. However, when I do
this by
sending a "> before the injected script

http://standard/default.aspx?Mode=";><script>alert(document.cookie)</script>&
PageView=Shared
                                  

I get the following result :


<form name="form1" method="post"
action="default.aspx?Mode="><SCRIPT>alert(document.cookie)</SCRIPT>&PageView
=Shared"
id="form1">
                          

You can see that the > passes ok but the " is
converted to a " character - which is not interpreted
by the browser. 

So is this a gotcha... or is there a way I can
terminate this double-quoted string to get my script
to execute?

thanks for any advice,

regards Frank



__________________________________
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
http://mail.yahoo.com

Current thread:

xxs problem Frank Dobb (Mar 16)
- Re: xxs problem Clint Bodungen (Mar 17)
- <Possible follow-ups>
- RE: xxs problem Dean Saxe (Mar 16)
- RE: xxs problem Michael Silk (Mar 17)