Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: 5 char XSS?
From: kuza55 <kuza55 () gmail com>
Date: Mon, 28 Apr 2008 23:25:04 -0700
While this doesn't seem to apply to this particular bug, usually if
you have a short unfiltered injection then your best bet is to look
for a filtered injection later in the page and do a fragmentation
attack in 5 chars like this: (the </b=" is your unfiltered injection;
if they use " for quotes, you would use </b=' instead; if they use
both ' and " you could use </b=` but that would only work in IE)

<html>
<body>
<b/="

test" onmouseover=alert(1)

some other junk which is already on the page including another tag
such as a <div>div</div>
</body>
</html>

You'd probably want to use a style attribute with your filtered
injection rather than event handler but I'm sure you don't need my
help for that.

 - kuza55

2008/4/26 Kristian Erik Hermansen <kristian.hermansen () gmail com>:

Yes, you make a good point :-). However, the purpose of the email was
 that we can't inject anything useful in 5 chars, so the XSS I posted
 merely corrupts the page a little, and does not execute any scripts on
 you.  Honest!  Go click the links and see ... Hehe





 On 4/26/08, Serg B <sergeslists () gmail com> wrote:
 > Am I the only one who sees the irony of an XSS related email/question
 > and example URLs to click? Heh.
 >
 >    Serg
 >
 >
 > On Thu, Apr 24, 2008 at 9:36 AM, Kristian Erik Hermansen
 > <kristian.hermansen () gmail com> wrote:
 > > Just been noticing all the talk about Obama and Clinton sites and how
 > >  the media keeps making a big deal out of all these XSS vulns, heh.
 > >  However, I have a rather technical question about what, if anything,
 > >  you can do when you have such a small buffer to exploit XSS?  Check
 > >  out this one I found and is not listed by xssed.com for
 > >  hillaryclinton.com.  You only get 5 chars to inject.  So, are there
 > >  any tricks that could possibly be used to expand the limitation via
 > >  perhaps some unicode kung-fu here?  Dunno, but thought it might be
 > >  insteresting bring up because this is a common scenario in zip code
 > >  search fields.  The fix for Clinton is as simple as whitelisting the
 > >  input field set to [0-9]...
 > >
 > >
 > 
http://www.hillaryclinton.com/actioncenter/event/?mt=0&d=250&z=%22%3EXSS&s=z&EventSearchAndResults%3A_ctl0.x=0&EventSearchAndResults%3A_ctl0.y=0
 > >
 > >  Regards,
 > >  --
 > >  Kristian Erik Hermansen
 > >  --
 > >  "Clever ones don't want the future told. They make it."
 > >
 >

 --
 Sent from Gmail for mobile | mobile.google.com



 Kristian Erik Hermansen
 --
 "Clever ones don't want the future told. They make it."

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]