mailing list archives
XSS, Command and SQL Injection vectors: Beyond the Form
From: jim.halfpenny at gmail.com (Jim Halfpenny)
Date: Thu, 4 Jun 2009 06:54:39 +0100
Examples include just about anything that reads data. There have been XSS
issues with log monitoring software where log data is not sanitised before
being parsed and displayed. PTK, a web frontend for The Sleuth Kit, had a
arbitrary command execution vulnerability when reading a maliciously crafted
file name on a disk image.
2009/6/4 Adrian Crenshaw <irongeek at irongeek.com>
We are all familiar with XSS via a form field in a web application, but
what about other vectors? The article talks about using User Agent strings,
even logs, object properties and other odd alternative vectors for XSS, SQL
and command injection.
What other vectors can you think of? Any real world examples?
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...