One type you do have is: alert(document.cookie)
Should be: alert('document.cookie')
>Tuesday, March 16, 2004 7:35 AM
> To all you xxx'ers on this list.
>
> I have been testing an application for XXS
> vulnerabilities. I am very stuck & would appreciate
> some advice.
>
> When I enter the following URL :
>
>
http://standard/default.aspx?Mode=<script>alert(document.cookie)</script>&PageView=Shared
>
> I get the <script>alert(document.cookie)</script> text
> sent back in the reply. I thought this would now be
> easy - However it does not provoke an alert within the
> browser.
>
> On further analysis, I see the
> <script>alert(document.cookie)</script> occurs in the
> middle of a <form> statement.
>
>
> <form name="form1" method="post"
>
action="default.aspx?Mode=<SCRIPT>alert(document.cookie)</SCRIPT>&PageView=S
hared"
> id="form1">
>
> you can see that my injected script is in the middle
> of the action statement which is enclosed in double
> quotes.
>
> I thought I would just need to close this action
> statement and then close the form. However, when I do
> this by
> sending a "> before the injected script
>
>
http://standard/default.aspx?Mode="><script>alert(document.cookie)</script>&PageView=Shared
>
>
> I get the following result :
>
>
> <form name="form1" method="post"
>
action="default.aspx?Mode="><SCRIPT>alert(document.cookie)</SCRIPT>&PageView
=Shared"
> id="form1">
>
>
> You can see that the > passes ok but the " is
> converted to a " character - which is not interpreted
> by the browser.
>
> So is this a gotcha... or is there a way I can
> terminate this double-quoted string to get my script
> to execute?
>
> thanks for any advice,
>
> regards Frank
>
Received on Mar 17 2004
Intro
