<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos

WebApp Sec: Re: Execution of Javascript from PERL

Re: Execution of Javascript from PERL

From: Martin Eiszner <martin_at_websec.org>
Date: Thu, 17 Apr 2003 17:15:34 +0200

hola,

On Thu, 17 Apr 2003 10:52:45 -0400
"Brass, Phil (ISS Atlanta)" <PBrass_at_iss.net> wrote:

**********
> The real problem is not getting the JavaScript in the page to execute,
> it's getting it to execute in a meaningful context
**********

from the security-testing point of view its not necessary to execute any script .. because:

IF input
"<script>thingstodo();</script>"
LEADS TO output
"<script>thingstodo();</script>"

the application is definitively vulnerable !!!

and it is a confuguration-issue to check for all "known" and "unknown" script-tags and -objects !!

nice day,
mEi

-- 
WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna
Austria / EUROPE
mei_at_websec.org
http://www.websec.org
tel: 0043 699 121772 37

Received on Apr 17 2003

This message: [ Message body ]
Next message: Indian Tiger: "RE: Proof of Concept Tool on Web Application Security"
Previous message: Brass, Phil (ISS Atlanta): "RE: Execution of Javascript from PERL"
In reply to: Brass, Phil (ISS Atlanta): "RE: Execution of Javascript from PERL"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]

edgeos