WebApp Sec mailing list archives

Re: XSS?

From: Tom Gallagher <tom () SecurityBugHunter com>
Date: Tue, 15 Nov 2005 04:52:39 -0500

This isn't exactly XSS, since you can't run script.  They are taking your data
from the 'q' parameter and doing a 302 redirect on it.  Like you point out,
this causes some confusion and phishers love stuff like this.

When you test pages that redirect, good test cases to try are HTTP Splitting
(http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf)
cases where you attempt to inject CRLFs.

Tom

Quoting Andrew Chan <quickt () gmail com>:

I tried http://www.google.com/url?q=http://www.microsoft.com and it got
directed. it seems that I received one such phishing email that makes
use of this to obfuscate the actual URL lately.

Current thread:

XSS? Andrew Chan (Nov 15)
- Re: XSS? Tom Gallagher (Nov 15)
- <Possible follow-ups>
- Re: XSS? Aman Raheja (Nov 15)
  - Re: XSS? Serg B. (Nov 15)
    - Re: XSS? Aman Raheja (Nov 17)
    - Re: XSS? Serg Belokamen (Nov 17)
    - Re: XSS? Andrew Chan (Nov 18)
  - Re: XSS? Pilon Mntry (Nov 15)
- RE: XSS? Matt Fisher (Nov 30)