Home page logo

bugtraq logo Bugtraq mailing list archives

RE: XSS bug in hotmail login page
From: Thor Larholm <Thor () jubii dk>
Date: Tue, 8 Oct 2002 11:00:56 +0200

From: Russell Harding [mailto:hardingr () cunap com]
Is there another way to exploit this which I am not 
seeing? Or does MSN actually have their act together
 (in this particular case...)?


P.S. Well, I suppose the real question may be this:
Is there a way to concatenate javascript strings without "+" or "%2B"?

Sure there is, the first that springs to mind is to use the replace method
which all strings have:

var myString = "hi $".replace('$','monkeyboy');
alert( myString ); // alerts "hi monkeyboy"

The first argument can be both a string or a regular expression.


Thor Larholm
Jubii A/S - Internet Programmer

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]